Microsoft CVE Summary

This report contains detail for the following vulnerabilities:

Tag CVE ID CVE Title Severity
.NET CVE-2026-50649 .NET Remote Code Execution Vulnerability Important
.NET CVE-2026-50525 .NET Denial of Service Vulnerability Important
.NET CVE-2026-50528 .NET Security Feature Bypass Vulnerability Important
.NET CVE-2026-47302 .NET Denial of Service Vulnerability Important
.NET CVE-2026-50659 .NET Spoofing Vulnerability Important
.NET CVE-2026-50526 .NET Tampering Vulnerability Important
.NET CVE-2026-47304 .NET Security Feature Bypass Vulnerability Important
.NET CVE-2026-50651 .NET Denial of Service Vulnerability Important
.NET Core CVE-2026-57108 .NET Denial of Service Vulnerability Important
.NET Framework CVE-2026-50524 .NET Framework Denial of Service Vulnerability Important
.NET Framework CVE-2026-50650 .NET Framework Elevation of Privilege Vulnerability Important
.NET Framework CVE-2026-50527 .NET Framework Denial of Service Vulnerability Important
.NET Framework CVE-2026-50646 .NET Framework Remote Code Execution Vulnerability Important
.NET Framework CVE-2026-50648 .NET Framework Denial of Service Vulnerability Important
Active Directory Certificate Services (AD CS) CVE-2026-54121 Active Directory Certificate Services Elevation of Privilege Vulnerability Critical
Active Directory Domain Services CVE-2026-50366 Windows Active Directory Domain Services Denial of Service Vulnerability Important
Active Directory Domain Services CVE-2026-49164 Windows Active Directory Domain Services Remote Code Execution Vulnerability Critical
Active Directory Domain Services CVE-2026-49178 Windows Active Directory Domain Services Remote Code Execution Vulnerability Important
Active Directory Domain Services CVE-2026-57976 Windows Active Directory Domain Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50368 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50304 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50695 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-54983 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-58529 Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-56155 Active Directory Federation Services Elevation of Privilege Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50647 Active Directory Federation Server Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50355 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50411 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50684 Active Directory Federation Server Spoofing Vulnerability Important
Active Directory Federation Services (AD FS) CVE-2026-50324 Windows Active Directory Federation Services Denial of Service Vulnerability Important
Age of Empires II: Definitive Edition Game CVE-2026-50663 Game: Age of Empires II: Definitive Edition Remote Code Execution Vulnerability Important
ASP.NET Core CVE-2026-45646 OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability Important
ASP.NET Core CVE-2026-50506 OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability Important
ASP.NET Core CVE-2026-56170 ASP.NET Core Denial of Service Vulnerability Important
ASP.NET Core CVE-2026-47300 ASP.NET Core Elevation of Privilege Vulnerability Important
ASP.NET Core CVE-2026-47303 ASP.NET Core Elevation of Privilege Vulnerability Important
Azure Active Directory CVE-2026-50653 Azure Active Directory Denial of Service Vulnerability Important
Azure Active Directory CVE-2026-50652 Azure Active Directory Denial of Service Vulnerability Important
Azure CycleCloud CVE-2026-57969 Azure CycleCloud Elevation of Privilege Vulnerability Important
Azure CycleCloud CVE-2026-58279 Azure CycleCloud Elevation of Privilege Vulnerability Important
Azure Monitor Agent CVE-2026-47632 Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability Important
Azure OpenAI CVE-2026-45499 Azure OpenAI Elevation of Privilege Vulnerability Critical
Azure Spring Apps CVE-2026-50338 Azure Spring Apps Elevation of Privilege Vulnerability Important
Azure Synapse CVE-2026-26145 Microsoft Azure Synapse Elevation of Privilege Vulnerability Critical
Code Integrity DLL (ci.dll) CVE-2026-50491 Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability Important
Composite Image File System Driver CVE-2026-50381 Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability Important
Content Delivery Manager CVE-2026-50427 Content Delivery Manager Elevation of Privilege Vulnerability Important
Desktop Window Manager CVE-2026-58634 Desktop Window Manager Elevation of Privilege Vulnerability Important
Desktop Window Manager CVE-2026-50692 Desktop Window Manager Elevation of Privilege Vulnerability Important
Desktop Window Manager CVE-2026-58633 Desktop Window Manager Elevation of Privilege Vulnerability Important
Extensible Storage Engine (ESENT) CVE-2026-57088 Extensible Storage Engine (ESENT) Elevation of Privilege Vulnerability Important
Github Copilot CVE-2026-50510 GitHub Copilot Remote Code Execution Vulnerability Important
GitHub Copilot and Visual Studio CVE-2026-41109 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability Important
GitHub Copilot and Visual Studio Code CVE-2026-47282 GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability Important
HTTP/2 CVE-2026-49788 HTTP/2 Denial of Service Vulnerability Important
M365 Copilot CVE-2026-41106 Microsoft 365 Copilot Elevation of Privilege Vulnerability Critical
Mariner CVE-2026-60000 sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication. Low
Mariner CVE-2026-8925 SASL double-free Moderate
Mariner CVE-2026-59997 internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection. Moderate
Mariner CVE-2026-60001 sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay. Moderate
Mariner CVE-2026-8926 password leak with netrc and user in URL Moderate
Mariner CVE-2026-9080 UAF after pause in socket callback Low
Mariner CVE-2026-55952 TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension Important
Mariner CVE-2026-53361 af_unix: Set gc_in_progress to true in unix_gc(). Moderate
Mariner CVE-2026-59996 scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations. Moderate
Mariner CVE-2026-54886 SSH SFTP server denial of service via extended channel data infinite loop Moderate
Mariner CVE-2026-53359 KVM: x86: Fix shadow paging use-after-free due to unexpected role Important
Mariner CVE-2026-53362 ipv6: account for fraggap on the paged allocation path Important
Mariner CVE-2026-59995 sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server. Moderate
Mariner CVE-2026-14355 ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD Moderate
Mariner CVE-2026-8286 wrong STARTTLS connection reuse Important
Mariner CVE-2026-9545 exposing HTTP/3 early data Important
Mariner CVE-2026-53352 signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Moderate
Mariner CVE-2026-12413 IKEv2 Denial of Service via malformed fragmentation Important
Mariner CVE-2026-53343 ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Important
Mariner CVE-2026-53329 drm/amd/display: Use krealloc_array() in dal_vector_reserve() Important
Mariner CVE-2026-14258 Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling Moderate
Mariner CVE-2026-50721 IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload Important
Mariner CVE-2026-56149 Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service Moderate
Mariner CVE-2026-53349 netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Moderate
Mariner CVE-2026-50722 IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload Important
Mariner CVE-2026-12480 Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras Moderate
Mariner CVE-2026-8924 trailing dot domain super cookie Important
Mariner CVE-2026-14647 onnx onnxruntime old.cc convPoolShapeInference_opset19 out-of-bounds Low
Mariner CVE-2026-11856 cross-origin Digest auth state leak Moderate
Mariner CVE-2026-10536 HTTP/2 stream-dependency tree UAF Low
Mariner CVE-2026-53355 net: rds: clear i_sends on setup unwind Moderate
Mariner CVE-2026-53347 drm/virtio: Fix driver removal with disabled KMS Moderate
Mariner CVE-2026-8932 incomplete mTLS config matching in conn reuse Important
Mariner CVE-2026-8458 wrong reuse for different services Moderate
Mariner CVE-2026-9547 SSH improper host validation Critical
Mariner CVE-2026-59999 In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not. Moderate
Mariner CVE-2026-12064 proto-default skips SSH verification Important
Mariner CVE-2026-54891 Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl Moderate
Mariner CVE-2026-9079 stale proxy password leak Important
Mariner CVE-2026-8927 env-set cross-proxy Digest auth state leak Moderate
Mariner CVE-2026-55999 xorg-server / xwayland glamor font atlas Heap Buffer Overflow Important
Mariner CVE-2026-14191 WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader Important
Mariner CVE-2026-56001 libXfont2 BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow Important
Mariner CVE-2026-56003 libXfont2 computeProps Property Buffer Heap Buffer Overflow Important
Mariner CVE-2026-53337 net: bonding: fix NULL pointer dereference in bond_do_ioctl() Moderate
Mariner CVE-2026-53356 drm/i915/gem: Fix phys BO pread/pwrite with offset Important
Mariner CVE-2026-53336 nvmem: layouts: onie-tlv: fix hang on unknown types Moderate
Mariner CVE-2026-53327 debugobjects: Do not fill_pool() if pi_blocked_on Moderate
Mariner CVE-2026-49090 Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service Moderate
Mariner CVE-2026-53357 Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Moderate
Mariner CVE-2026-53353 hsr: Remove WARN_ONCE() in hsr_addr_is_self(). Moderate
Mariner CVE-2026-53339 i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Moderate
Mariner CVE-2026-59818 etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation Moderate
Mariner CVE-2026-59871 node-tar: Process crash via PAX numeric path type confusion Moderate
Mariner CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input Critical
Mariner CVE-2026-58250 NATS Server: Pre-auth server crash via double INFO in leafnode handshake Moderate
Mariner CVE-2026-15308 Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations Important
Mariner CVE-2026-40469 Heap buffer overflow in gawk Moderate
Mariner CVE-2026-40467 Use after free in gawk Moderate
Mariner CVE-2026-59874 node-tar: Negative tar entry size causes infinite loop in archive replace Important
Mariner CVE-2026-40553 Stack-based buffer overflow in gawk Moderate
Mariner CVE-2026-20243 ClamAV ALZ Archive Processing Denial of Service Vulnerability Important
Mariner CVE-2026-14461 Out-of-bound read in mtr Moderate
Mariner CVE-2026-56289 Loop with Unreachable Exit Condition in GNU patch Moderate
Mariner CVE-2026-20213 ClamAV PE File Format Processing Out-of-Bounds Memory Corruption Vulnerability Important
Mariner CVE-2026-59922 Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert) Important
Mariner CVE-2026-59869 js-yaml: YAML merge-key chains can force quadratic CPU consumption Important
Mariner CVE-2026-14739 DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders Important
Mariner CVE-2026-59928 Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions Important
Mariner CVE-2026-20216 ClamAV InstallShield File Format Processing Resource Exhaustion Vulnerability Important
Mariner CVE-2026-20217 ClamAV PESpin File Format Processing Out-of-Bounds Memory Corruption Vulnerability Important
Mariner CVE-2026-20214 ClamAV FSG File Format Processing Out-of-Bounds Memory Corruption Vulnerability Important
Mariner CVE-2026-20215 ClamAV 7Zip File Format Processing Out-of-Bounds Memory Corruption Vulnerability Important
Mariner CVE-2026-14380 DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile Important
Mariner CVE-2026-14740 DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment Important
Mariner CVE-2026-20244 ClamAV DMG File Processing Denial of Service Vulnerability Important
Mariner CVE-2026-59998 sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. Moderate
Mariner CVE-2026-56000 xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() Critical
Mariner CVE-2026-38968 ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing. Critical
Mariner CVE-2026-60002 ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.) Important
Mariner CVE-2026-56002 libXfont2 PCF Font Parsing Heap Buffer Overflow Important
Mariner CVE-2026-56288 NULL Pointer Dereference in GNU patch Moderate
Mariner CVE-2026-59856 Vim: Arbitrary Code Execution via PHP Omni-Completion Important
Mariner CVE-2026-38969 ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling. Moderate
Mariner CVE-2026-54908 Pion DTLS: Denial of service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message Moderate
Mariner CVE-2026-59926 Mistune: XSS via unescaped class option in Admonition directive Moderate
Mariner CVE-2026-40468 Heap buffer overflow in gawk Low
Mariner CVE-2026-58253 NATS Server: Route API Auth Bypass Important
Mariner CVE-2026-58209 NATS Server: MQTT retained and QoS replay bypass subscribe deny filters Moderate
Mariner CVE-2026-53354 arm64: errata: Mitigate TLBI errata on various Arm CPUs Important
Mariner CVE-2026-53332 slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd Moderate
Mariner CVE-2026-53345 KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying Moderate
Mariner CVE-2026-41579 runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Low
Mariner CVE-2026-58252 NATS Server: Subscribe Authz Bypass via Wildcard-Overlap Moderate
Mariner CVE-2026-59925 inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs Important
Mariner CVE-2026-59890 setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+ Moderate
Mariner CVE-2026-59930 Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` content Moderate
Mariner CVE-2026-58207 NATS Server: Remote crash via integer overflow in Connz pagination Important
Mariner CVE-2026-58208 NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled Moderate
Mariner CVE-2026-58251 NATS Server: Queue Subscribe Authz Bypass Moderate
Microsoft 365 Copilot for iOS CVE-2026-58617 M365 Copilot for iOS Elevation of Privilege Vulnerability Important
Microsoft Bing App for IOS CVE-2026-58595 Microsoft Bing App for IOS Spoofing Vulnerability Important
Microsoft Copilot CVE-2026-48561 Microsoft Copilot Remote Code Execution Vulnerability Critical
Microsoft Defender CVE-2026-50658 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability Important
Microsoft Defender CVE-2026-55012 Microsoft Defender Remote Code Execution Vulnerability Critical
Microsoft Defender CVE-2026-50657 Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability Important
Microsoft Defender CVE-2026-55011 Microsoft Defender Remote Code Execution Vulnerability Critical
Microsoft Defender for Endpoint CVE-2026-56178 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability Important
Microsoft Dynamics NAV CVE-2026-55944 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability Critical
Microsoft Edge (Chromium-based) CVE-2026-14099 Chromium: CVE-2026-14099 Use after free in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14096 Chromium: CVE-2026-14096 Object lifecycle issue in Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-14382 Chromium: CVE-2026-14382 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14067 Chromium: CVE-2026-14067 Use after free in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14075 Chromium: CVE-2026-14075 Policy bypass in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14136 Chromium: CVE-2026-14136 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14128 Chromium: CVE-2026-14128 Insufficient data validation in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14137 Chromium: CVE-2026-14137 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14385 Chromium: CVE-2026-14385 Heap buffer overflow in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14114 Chromium: CVE-2026-14114 Inappropriate implementation in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-14101 Chromium: CVE-2026-14101 Insufficient policy enforcement in Sandbox Unknown
Microsoft Edge (Chromium-based) CVE-2026-14126 Chromium: CVE-2026-14126 Incorrect security UI in UI Unknown
Microsoft Edge (Chromium-based) CVE-2026-14123 Chromium: CVE-2026-14123 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14066 Chromium: CVE-2026-14066 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13987 Chromium: CVE-2026-13987 Incorrect security UI in Mobile Unknown
Microsoft Edge (Chromium-based) CVE-2026-13991 Chromium: CVE-2026-13991 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13992 Chromium: CVE-2026-13992 Inappropriate implementation in UI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13980 Chromium: CVE-2026-13980 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13975 Chromium: CVE-2026-13975 Out of bounds read in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13974 Chromium: CVE-2026-13974 Integer overflow in Safe Browsing Unknown
Microsoft Edge (Chromium-based) CVE-2026-13981 Chromium: CVE-2026-13981 Inappropriate implementation in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13998 Chromium: CVE-2026-13998 Incorrect security UI in File Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-14005 Chromium: CVE-2026-14005 Use after free in Omnibox Unknown
Microsoft Edge (Chromium-based) CVE-2026-14028 Chromium: CVE-2026-14028 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13997 Chromium: CVE-2026-13997 Incorrect security UI in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13994 Chromium: CVE-2026-13994 Inappropriate implementation in Credential Management Unknown
Microsoft Edge (Chromium-based) CVE-2026-13995 Chromium: CVE-2026-13995 Insufficient validation of untrusted input in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2026-13983 Chromium: CVE-2026-13983 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14386 Chromium: CVE-2026-14386 Out of bounds read in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14407 Chromium: CVE-2026-14407 Inappropriate implementation in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14409 Chromium: CVE-2026-14409 Inappropriate implementation in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14408 Chromium: CVE-2026-14408 Uninitialized Use in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14405 Chromium: CVE-2026-14405 Uninitialized Use in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14406 Chromium: CVE-2026-14406 Out of bounds read in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14404 Chromium: CVE-2026-14404 Inappropriate implementation in PDFium Unknown
Microsoft Edge (Chromium-based) CVE-2026-14402 Chromium: CVE-2026-14402 Uninitialized Use in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14414 Chromium: CVE-2026-14414 Insufficient validation of untrusted input in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-14415 Chromium: CVE-2026-14415 Inappropriate implementation in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14416 Chromium: CVE-2026-14416 Out of bounds read in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14413 Chromium: CVE-2026-14413 Uninitialized Use in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14411 Chromium: CVE-2026-14411 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14410 Chromium: CVE-2026-14410 Inappropriate implementation in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-14412 Chromium: CVE-2026-14412 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14391 Chromium: CVE-2026-14391 Integer overflow in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14395 Chromium: CVE-2026-14395 Out of bounds write in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14396 Chromium: CVE-2026-14396 Out of bounds read in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14393 Chromium: CVE-2026-14393 Use after free in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14388 Chromium: CVE-2026-14388 Out of bounds read in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14390 Chromium: CVE-2026-14390 Use after free in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14392 Chromium: CVE-2026-14392 Out of bounds write in Tint Unknown
Microsoft Edge (Chromium-based) CVE-2026-14401 Chromium: CVE-2026-14401 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14400 Chromium: CVE-2026-14400 Out of bounds write in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14403 Chromium: CVE-2026-14403 Use after free in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14399 Chromium: CVE-2026-14399 Uninitialized Use in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14394 Chromium: CVE-2026-14394 Use after free in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14398 Chromium: CVE-2026-14398 Use after free in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14397 Chromium: CVE-2026-14397 Out of bounds write in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13969 Chromium: CVE-2026-13969 Uninitialized Use in UI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13862 CVE-2026-13862 Unknown
Microsoft Edge (Chromium-based) CVE-2026-13863 Chromium: CVE-2026-13863 Insufficient validation of untrusted input in CustomTabs Unknown
Microsoft Edge (Chromium-based) CVE-2026-13866 Chromium: CVE-2026-13866 Insufficient validation of untrusted input in Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-13856 Chromium: CVE-2026-13856 Insufficient validation of untrusted input in Speech Unknown
Microsoft Edge (Chromium-based) CVE-2026-13851 Chromium: CVE-2026-13851 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-13852 Chromium: CVE-2026-13852 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-13850 Chromium: CVE-2026-13850 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13880 Chromium: CVE-2026-13880 Use after free in USB Unknown
Microsoft Edge (Chromium-based) CVE-2026-13885 Chromium: CVE-2026-13885 Use after free in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-13887 Chromium: CVE-2026-13887 Insufficient policy enforcement in NFC Unknown
Microsoft Edge (Chromium-based) CVE-2026-13872 Chromium: CVE-2026-13872 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-13868 Chromium: CVE-2026-13868 Inappropriate implementation in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-13870 Chromium: CVE-2026-13870 Use after free in WebView Unknown
Microsoft Edge (Chromium-based) CVE-2026-13878 Chromium: CVE-2026-13878 Use after free in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-13819 Chromium: CVE-2026-13819 Out of bounds read in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13822 Chromium: CVE-2026-13822 Inappropriate implementation in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13826 Chromium: CVE-2026-13826 Inappropriate implementation in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2026-13825 Chromium: CVE-2026-13825 Uninitialized Use in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-13808 Chromium: CVE-2026-13808 Insufficient data validation in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13816 Chromium: CVE-2026-13816 Insufficient validation of untrusted input in File Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-13813 Chromium: CVE-2026-13813 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13846 Chromium: CVE-2026-13846 Use after free in USB Unknown
Microsoft Edge (Chromium-based) CVE-2026-13847 Chromium: CVE-2026-13847 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13792 Chromium: CVE-2026-13792 Use after free in Touchbar Unknown
Microsoft Edge (Chromium-based) CVE-2026-13842 Chromium: CVE-2026-13842 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13827 Chromium: CVE-2026-13827 Use after free in Updater Unknown
Microsoft Edge (Chromium-based) CVE-2026-13833 Chromium: CVE-2026-13833 Uninitialized Use in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13843 Chromium: CVE-2026-13843 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13889 Chromium: CVE-2026-13889 Insufficient validation of untrusted input in WebAuthentication Unknown
Microsoft Edge (Chromium-based) CVE-2026-13932 Chromium: CVE-2026-13932 Inappropriate implementation in Sharing Unknown
Microsoft Edge (Chromium-based) CVE-2026-13936 Chromium: CVE-2026-13936 Inappropriate implementation in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13943 Chromium: CVE-2026-13943 Uninitialized Use in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13929 Chromium: CVE-2026-13929 Insufficient validation of untrusted input in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-13926 Chromium: CVE-2026-13926 Insufficient validation of untrusted input in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-13918 Chromium: CVE-2026-13918 Use after free in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13924 Chromium: CVE-2026-13924 Insufficient validation of untrusted input in WebView Unknown
Microsoft Edge (Chromium-based) CVE-2026-13955 Chromium: CVE-2026-13955 Insufficient validation of untrusted input in CustomTabs Unknown
Microsoft Edge (Chromium-based) CVE-2026-13927 Chromium: CVE-2026-13927 Insufficient validation of untrusted input in UI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13964 Chromium: CVE-2026-13964 Insufficient policy enforcement in WebView Unknown
Microsoft Edge (Chromium-based) CVE-2026-13949 Chromium: CVE-2026-13949 Insufficient policy enforcement in Payments Unknown
Microsoft Edge (Chromium-based) CVE-2026-13939 Chromium: CVE-2026-13939 Insufficient validation of untrusted input in WebShare Unknown
Microsoft Edge (Chromium-based) CVE-2026-13944 Chromium: CVE-2026-13944 Inappropriate implementation in DataTransfer Unknown
Microsoft Edge (Chromium-based) CVE-2026-13946 Chromium: CVE-2026-13946 Inappropriate implementation in ScriptInjections Unknown
Microsoft Edge (Chromium-based) CVE-2026-13914 Chromium: CVE-2026-13914 Inappropriate implementation in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13907 Chromium: CVE-2026-13907 Inappropriate implementation in iOSWeb Unknown
Microsoft Edge (Chromium-based) CVE-2026-13912 Chromium: CVE-2026-13912 Incorrect security UI in Safe Browsing Unknown
Microsoft Edge (Chromium-based) CVE-2026-13905 Chromium: CVE-2026-13905 Incorrect security UI in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13904 Chromium: CVE-2026-13904 Incorrect security UI in Safe Browsing Unknown
Microsoft Edge (Chromium-based) CVE-2026-13892 Chromium: CVE-2026-13892 Inappropriate implementation in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13902 Chromium: CVE-2026-13902 Inappropriate implementation in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13915 Chromium: CVE-2026-13915 Use after free in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13917 Chromium: CVE-2026-13917 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13923 Chromium: CVE-2026-13923 Uninitialized Use in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-13916 Chromium: CVE-2026-13916 Inappropriate implementation in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13910 Chromium: CVE-2026-13910 Insufficient policy enforcement in WebXR Unknown
Microsoft Edge (Chromium-based) CVE-2026-13913 Chromium: CVE-2026-13913 Insufficient policy enforcement in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2026-13908 Chromium: CVE-2026-13908 Insufficient validation of untrusted input in Omnibox Unknown
Microsoft Edge (Chromium-based) CVE-2026-14417 Chromium: CVE-2026-14417 Use after free in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-58298 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58295 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58294 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-13779 Chromium: CVE-2026-13779 Use after free in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-58596 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58525 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58524 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58289 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-13776 Chromium: CVE-2026-13776 Type Confusion in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-58288 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58290 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58293 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58292 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58291 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-13818 Chromium: CVE-2026-13818 Inappropriate implementation in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13815 Chromium: CVE-2026-13815 Use after free in Blink Unknown
Microsoft Edge (Chromium-based) CVE-2026-13811 Chromium: CVE-2026-13811 Use after free in IME Unknown
Microsoft Edge (Chromium-based) CVE-2026-13814 Chromium: CVE-2026-13814 Use after free in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-13820 Chromium: CVE-2026-13820 Out of bounds read in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-13821 Chromium: CVE-2026-13821 Use after free in Canvas Unknown
Microsoft Edge (Chromium-based) CVE-2026-13817 Chromium: CVE-2026-13817 Insufficient validation of untrusted input in Glic Unknown
Microsoft Edge (Chromium-based) CVE-2026-13796 Chromium: CVE-2026-13796 Integer overflow in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13954 Chromium: CVE-2026-13954 Insufficient policy enforcement in XML Unknown
Microsoft Edge (Chromium-based) CVE-2026-58597 Microsoft Edge (Chromium-based) Spoofing Vulnerability Low
Microsoft Edge (Chromium-based) CVE-2026-13799 Chromium: CVE-2026-13799 Use after free in QUIC Unknown
Microsoft Edge (Chromium-based) CVE-2026-13810 Chromium: CVE-2026-13810 Inappropriate implementation in Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-13806 Chromium: CVE-2026-13806 Insufficient validation of untrusted input in Accessibility Unknown
Microsoft Edge (Chromium-based) CVE-2026-13800 Chromium: CVE-2026-13800 Inappropriate implementation in Updater Unknown
Microsoft Edge (Chromium-based) CVE-2026-58287 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57987 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57986 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57985 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57988 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58276 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57992 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57991 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-45489 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate
Microsoft Edge (Chromium-based) CVE-2026-45488 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate
Microsoft Edge (Chromium-based) CVE-2026-14104 Chromium: CVE-2026-14104 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-55945 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Moderate
Microsoft Edge (Chromium-based) CVE-2026-57984 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57983 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57981 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58282 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58281 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57993 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58283 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58286 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58285 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58284 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-56646 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-56645 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-58278 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57974 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-57977 Microsoft Edge (Chromium-based) Spoofing Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-13775 Chromium: CVE-2026-13775 Use after free in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-57975 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2026-13823 Chromium: CVE-2026-13823 Use after free in Glic Unknown
Microsoft Edge (Chromium-based) CVE-2026-13859 Chromium: CVE-2026-13859 Inappropriate implementation in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13858 Chromium: CVE-2026-13858 Out of bounds read in FFmpeg Unknown
Microsoft Edge (Chromium-based) CVE-2026-13857 Chromium: CVE-2026-13857 Inappropriate implementation in Geometry Unknown
Microsoft Edge (Chromium-based) CVE-2026-13854 Chromium: CVE-2026-13854 Use after free in Ozone Unknown
Microsoft Edge (Chromium-based) CVE-2026-14431 Chromium: CVE-2026-14431 Type Confusion in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-13864 Chromium: CVE-2026-13864 Insufficient policy enforcement in WebHID Unknown
Microsoft Edge (Chromium-based) CVE-2026-13860 Chromium: CVE-2026-13860 Incorrect security UI in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2026-13804 Chromium: CVE-2026-13804 Use after free in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13803 Chromium: CVE-2026-13803 Type Confusion in Chrome Tabs Unknown
Microsoft Edge (Chromium-based) CVE-2026-13802 Chromium: CVE-2026-13802 Use after free in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-13848 Chromium: CVE-2026-13848 Use after free in Forms Unknown
Microsoft Edge (Chromium-based) CVE-2026-13855 Chromium: CVE-2026-13855 Use after free in Ozone Unknown
Microsoft Edge (Chromium-based) CVE-2026-13853 Chromium: CVE-2026-13853 Use after free in Journeys Unknown
Microsoft Edge (Chromium-based) CVE-2026-13849 Chromium: CVE-2026-13849 Insufficient validation of untrusted input in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-14423 Chromium: CVE-2026-14423 Type Confusion in Tint Unknown
Microsoft Edge (Chromium-based) CVE-2026-14421 Chromium: CVE-2026-14421 Uninitialized Use in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14424 Chromium: CVE-2026-14424 Use after free in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14422 Chromium: CVE-2026-14422 Out of bounds read and write in Tint Unknown
Microsoft Edge (Chromium-based) CVE-2026-14420 Chromium: CVE-2026-14420 Out of bounds read and write in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14418 Chromium: CVE-2026-14418 Uninitialized Use in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14419 Chromium: CVE-2026-14419 Use after free in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-14429 Chromium: CVE-2026-14429 Insufficient validation of untrusted input in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-14430 Chromium: CVE-2026-14430 Integer overflow in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14432 Chromium: CVE-2026-14432 Use after free in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14428 Chromium: CVE-2026-14428 Insufficient validation of untrusted input in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14425 Chromium: CVE-2026-14425 Use after free in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14426 Chromium: CVE-2026-14426 Use after free in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-14427 Chromium: CVE-2026-14427 Heap buffer overflow in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-13801 Chromium: CVE-2026-13801 Integer overflow in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13837 Chromium: CVE-2026-13837 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13835 Chromium: CVE-2026-13835 Inappropriate implementation in XML Unknown
Microsoft Edge (Chromium-based) CVE-2026-13836 Chromium: CVE-2026-13836 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13838 Chromium: CVE-2026-13838 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13841 Chromium: CVE-2026-13841 Integer overflow in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-13840 Chromium: CVE-2026-13840 Insufficient policy enforcement in Canvas Unknown
Microsoft Edge (Chromium-based) CVE-2026-13839 Chromium: CVE-2026-13839 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13829 Chromium: CVE-2026-13829 Insufficient validation of untrusted input in Settings Unknown
Microsoft Edge (Chromium-based) CVE-2026-13828 Chromium: CVE-2026-13828 Inappropriate implementation in Enterprise Unknown
Microsoft Edge (Chromium-based) CVE-2026-13824 Chromium: CVE-2026-13824 Insufficient validation of untrusted input in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13830 Chromium: CVE-2026-13830 Use after free in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-13832 Chromium: CVE-2026-13832 Use after free in Headless Unknown
Microsoft Edge (Chromium-based) CVE-2026-13834 Chromium: CVE-2026-13834 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13831 Chromium: CVE-2026-13831 Use after free in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-13790 Chromium: CVE-2026-13790 Side-channel information leakage in Scroll Unknown
Microsoft Edge (Chromium-based) CVE-2026-13787 Chromium: CVE-2026-13787 Use after free in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-13786 Chromium: CVE-2026-13786 Use after free in Ozone Unknown
Microsoft Edge (Chromium-based) CVE-2026-13793 Chromium: CVE-2026-13793 Insufficient policy enforcement in SVG Unknown
Microsoft Edge (Chromium-based) CVE-2026-13798 Chromium: CVE-2026-13798 Heap buffer overflow in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13797 Chromium: CVE-2026-13797 Insufficient validation of untrusted input in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13794 Chromium: CVE-2026-13794 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-13780 Chromium: CVE-2026-13780 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13845 Chromium: CVE-2026-13845 Use after free in DOM Unknown
Microsoft Edge (Chromium-based) CVE-2026-13844 Chromium: CVE-2026-13844 Use after free in Updater Unknown
Microsoft Edge (Chromium-based) CVE-2026-13781 Chromium: CVE-2026-13781 Insufficient validation of untrusted input in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-13784 Chromium: CVE-2026-13784 Use after free in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-13783 Chromium: CVE-2026-13783 Use after free in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-13782 Chromium: CVE-2026-13782 Use after free in Browser Unknown
Microsoft Edge (Chromium-based) CVE-2026-14009 Chromium: CVE-2026-14009 Insufficient data validation in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-14010 Chromium: CVE-2026-14010 Uninitialized Use in Codecs Unknown
Microsoft Edge (Chromium-based) CVE-2026-14011 Chromium: CVE-2026-14011 Out of bounds read in SurfaceCapture Unknown
Microsoft Edge (Chromium-based) CVE-2026-14008 Chromium: CVE-2026-14008 Uninitialized Use in WebXR Unknown
Microsoft Edge (Chromium-based) CVE-2026-14004 Chromium: CVE-2026-14004 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14006 Chromium: CVE-2026-14006 Use after free in Navigation Unknown
Microsoft Edge (Chromium-based) CVE-2026-14007 Chromium: CVE-2026-14007 Insufficient policy enforcement in PermissionsPolicy Unknown
Microsoft Edge (Chromium-based) CVE-2026-14018 Chromium: CVE-2026-14018 Use after free in Updater Unknown
Microsoft Edge (Chromium-based) CVE-2026-14016 Chromium: CVE-2026-14016 Insufficient policy enforcement in SVG Unknown
Microsoft Edge (Chromium-based) CVE-2026-14017 Chromium: CVE-2026-14017 Inappropriate implementation in Navigation Unknown
Microsoft Edge (Chromium-based) CVE-2026-14015 Chromium: CVE-2026-14015 Inappropriate implementation in WebRTC Unknown
Microsoft Edge (Chromium-based) CVE-2026-14012 Chromium: CVE-2026-14012 Side-channel information leakage in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14013 Chromium: CVE-2026-14013 Inappropriate implementation in SVG Unknown
Microsoft Edge (Chromium-based) CVE-2026-14014 Chromium: CVE-2026-14014 Inappropriate implementation in Paint Unknown
Microsoft Edge (Chromium-based) CVE-2026-14003 Chromium: CVE-2026-14003 Insufficient policy enforcement in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13986 Chromium: CVE-2026-13986 Inappropriate implementation in Media UI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13989 Chromium: CVE-2026-13989 Insufficient policy enforcement in PageInfo Unknown
Microsoft Edge (Chromium-based) CVE-2026-13988 Chromium: CVE-2026-13988 Inappropriate implementation in Paint Unknown
Microsoft Edge (Chromium-based) CVE-2026-13985 Chromium: CVE-2026-13985 Inappropriate implementation in MediaCapture Unknown
Microsoft Edge (Chromium-based) CVE-2026-13979 Chromium: CVE-2026-13979 Inappropriate implementation in Paint Unknown
Microsoft Edge (Chromium-based) CVE-2026-13982 Chromium: CVE-2026-13982 Incorrect security UI in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13984 Chromium: CVE-2026-13984 Incorrect security UI in TabStrip Unknown
Microsoft Edge (Chromium-based) CVE-2026-14000 Chromium: CVE-2026-14000 Inappropriate implementation in XML Unknown
Microsoft Edge (Chromium-based) CVE-2026-14001 Chromium: CVE-2026-14001 Inappropriate implementation in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14002 Chromium: CVE-2026-14002 Inappropriate implementation in Geolocation Unknown
Microsoft Edge (Chromium-based) CVE-2026-13999 Chromium: CVE-2026-13999 Inappropriate implementation in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13993 Chromium: CVE-2026-13993 Incorrect security UI in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-13990 Chromium: CVE-2026-13990 Insufficient validation of untrusted input in DataTransfer Unknown
Microsoft Edge (Chromium-based) CVE-2026-13996 Chromium: CVE-2026-13996 Incorrect security UI in Permissions Unknown
Microsoft Edge (Chromium-based) CVE-2026-14019 Chromium: CVE-2026-14019 Inappropriate implementation in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-14041 Chromium: CVE-2026-14041 Insufficient policy enforcement in Serial Unknown
Microsoft Edge (Chromium-based) CVE-2026-14043 Chromium: CVE-2026-14043 Use after free in GetUserMedia Unknown
Microsoft Edge (Chromium-based) CVE-2026-14044 Chromium: CVE-2026-14044 Use after free in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14042 Chromium: CVE-2026-14042 Inappropriate implementation in Isolated Web Apps Unknown
Microsoft Edge (Chromium-based) CVE-2026-14039 Chromium: CVE-2026-14039 Insufficient policy enforcement in GetUserMedia Unknown
Microsoft Edge (Chromium-based) CVE-2026-14037 Chromium: CVE-2026-14037 Insufficient policy enforcement in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-14040 Chromium: CVE-2026-14040 Use after free in BrowserTag Unknown
Microsoft Edge (Chromium-based) CVE-2026-14049 Chromium: CVE-2026-14049 Inappropriate implementation in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-14050 Chromium: CVE-2026-14050 Insufficient policy enforcement in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-14051 Chromium: CVE-2026-14051 Uninitialized Use in GamepadAPI Unknown
Microsoft Edge (Chromium-based) CVE-2026-14048 Chromium: CVE-2026-14048 Use after free in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-14045 Chromium: CVE-2026-14045 Insufficient validation of untrusted input in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14046 Chromium: CVE-2026-14046 Inappropriate implementation in CustomTabs Unknown
Microsoft Edge (Chromium-based) CVE-2026-14047 Chromium: CVE-2026-14047 Insufficient policy enforcement in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-14038 Chromium: CVE-2026-14038 Insufficient validation of untrusted input in New Tab Page Unknown
Microsoft Edge (Chromium-based) CVE-2026-14025 Chromium: CVE-2026-14025 Use after free in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-14024 Chromium: CVE-2026-14024 Use after free in Ozone Unknown
Microsoft Edge (Chromium-based) CVE-2026-14027 Chromium: CVE-2026-14027 Use after free in SignIn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14023 Chromium: CVE-2026-14023 Insufficient validation of untrusted input in SanitizerAPI Unknown
Microsoft Edge (Chromium-based) CVE-2026-14020 Chromium: CVE-2026-14020 Insufficient validation of untrusted input in WebXR Unknown
Microsoft Edge (Chromium-based) CVE-2026-14021 Chromium: CVE-2026-14021 Insufficient validation of untrusted input in StorageAccessAPI Unknown
Microsoft Edge (Chromium-based) CVE-2026-14022 Chromium: CVE-2026-14022 Insufficient validation of untrusted input in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14033 Chromium: CVE-2026-14033 Insufficient policy enforcement in Media Unknown
Microsoft Edge (Chromium-based) CVE-2026-14035 Chromium: CVE-2026-14035 Insufficient policy enforcement in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-14036 Chromium: CVE-2026-14036 Insufficient policy enforcement in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-14034 Chromium: CVE-2026-14034 Inappropriate implementation in WebXR Unknown
Microsoft Edge (Chromium-based) CVE-2026-14031 Chromium: CVE-2026-14031 Incorrect security UI in File Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-14032 Chromium: CVE-2026-14032 Use after free in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-14030 Chromium: CVE-2026-14030 Incorrect security UI in SplitView Unknown
Microsoft Edge (Chromium-based) CVE-2026-13922 Chromium: CVE-2026-13922 Side-channel information leakage in Paint Unknown
Microsoft Edge (Chromium-based) CVE-2026-13920 Chromium: CVE-2026-13920 Insufficient validation of untrusted input in Media Unknown
Microsoft Edge (Chromium-based) CVE-2026-13919 Chromium: CVE-2026-13919 Insufficient data validation in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13921 Chromium: CVE-2026-13921 Insufficient validation of untrusted input in DeviceBoundSessionCredentials Unknown
Microsoft Edge (Chromium-based) CVE-2026-13906 Chromium: CVE-2026-13906 Out of bounds read in Codecs Unknown
Microsoft Edge (Chromium-based) CVE-2026-13909 Chromium: CVE-2026-13909 Insufficient policy enforcement in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-13911 Chromium: CVE-2026-13911 Insufficient data validation in Spellcheck Unknown
Microsoft Edge (Chromium-based) CVE-2026-13933 Chromium: CVE-2026-13933 Insufficient policy enforcement in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13930 Chromium: CVE-2026-13930 Insufficient policy enforcement in Actor Unknown
Microsoft Edge (Chromium-based) CVE-2026-13935 Chromium: CVE-2026-13935 Side-channel information leakage in ComputePressure Unknown
Microsoft Edge (Chromium-based) CVE-2026-13934 Chromium: CVE-2026-13934 Insufficient validation of untrusted input in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-13925 Chromium: CVE-2026-13925 Inappropriate implementation in Downloads Unknown
Microsoft Edge (Chromium-based) CVE-2026-13928 Chromium: CVE-2026-13928 Insufficient validation of untrusted input in Enterprise Unknown
Microsoft Edge (Chromium-based) CVE-2026-13931 Chromium: CVE-2026-13931 Inappropriate implementation in Media Unknown
Microsoft Edge (Chromium-based) CVE-2026-13903 Chromium: CVE-2026-13903 Insufficient policy enforcement in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-13891 Chromium: CVE-2026-13891 Insufficient validation of untrusted input in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13893 Chromium: CVE-2026-13893 Insufficient validation of untrusted input in WebUI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13894 Chromium: CVE-2026-13894 Insufficient policy enforcement in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-13890 Chromium: CVE-2026-13890 Out of bounds read in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13886 Chromium: CVE-2026-13886 Policy bypass in Isolated Web Apps Unknown
Microsoft Edge (Chromium-based) CVE-2026-13888 Chromium: CVE-2026-13888 Use after free in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13884 Chromium: CVE-2026-13884 Heap buffer overflow in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13901 Chromium: CVE-2026-13901 Insufficient validation of untrusted input in Serial Unknown
Microsoft Edge (Chromium-based) CVE-2026-13900 Chromium: CVE-2026-13900 Insufficient validation of untrusted input in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13899 Chromium: CVE-2026-13899 Use after free in HTML Unknown
Microsoft Edge (Chromium-based) CVE-2026-13898 Chromium: CVE-2026-13898 Use after free in Cast Receiver Unknown
Microsoft Edge (Chromium-based) CVE-2026-13895 Chromium: CVE-2026-13895 Inappropriate implementation in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2026-13896 Chromium: CVE-2026-13896 Insufficient policy enforcement in Glic Unknown
Microsoft Edge (Chromium-based) CVE-2026-13897 Chromium: CVE-2026-13897 Insufficient policy enforcement in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13937 Chromium: CVE-2026-13937 Insufficient policy enforcement in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13967 Chromium: CVE-2026-13967 Type Confusion in V8 Unknown
Microsoft Edge (Chromium-based) CVE-2026-13966 Chromium: CVE-2026-13966 Inappropriate implementation in History Unknown
Microsoft Edge (Chromium-based) CVE-2026-13968 Chromium: CVE-2026-13968 Insufficient validation of untrusted input in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-13965 Chromium: CVE-2026-13965 Use after free in Oilpan Unknown
Microsoft Edge (Chromium-based) CVE-2026-13960 Chromium: CVE-2026-13960 Inappropriate implementation in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-13962 Chromium: CVE-2026-13962 Insufficient data validation in PDF Unknown
Microsoft Edge (Chromium-based) CVE-2026-13963 Chromium: CVE-2026-13963 Inappropriate implementation in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-13976 Chromium: CVE-2026-13976 Heap buffer overflow in Storage Unknown
Microsoft Edge (Chromium-based) CVE-2026-13977 Chromium: CVE-2026-13977 Inappropriate implementation in HTMLParser Unknown
Microsoft Edge (Chromium-based) CVE-2026-13978 Chromium: CVE-2026-13978 Insufficient policy enforcement in PageInfo Unknown
Microsoft Edge (Chromium-based) CVE-2026-13973 Chromium: CVE-2026-13973 Inappropriate implementation in UI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13970 Chromium: CVE-2026-13970 Uninitialized Use in Media Unknown
Microsoft Edge (Chromium-based) CVE-2026-13972 Chromium: CVE-2026-13972 Inappropriate implementation in Paint Unknown
Microsoft Edge (Chromium-based) CVE-2026-13971 Chromium: CVE-2026-13971 Uninitialized Use in Skia Unknown
Microsoft Edge (Chromium-based) CVE-2026-13959 Chromium: CVE-2026-13959 Insufficient validation of untrusted input in Blink Unknown
Microsoft Edge (Chromium-based) CVE-2026-13945 Chromium: CVE-2026-13945 Insufficient policy enforcement in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13947 Chromium: CVE-2026-13947 Uninitialized Use in XR Unknown
Microsoft Edge (Chromium-based) CVE-2026-13948 Chromium: CVE-2026-13948 Insufficient policy enforcement in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13941 Chromium: CVE-2026-13941 Inappropriate implementation in SiteSettings Unknown
Microsoft Edge (Chromium-based) CVE-2026-13938 Chromium: CVE-2026-13938 Integer overflow in Fonts Unknown
Microsoft Edge (Chromium-based) CVE-2026-13940 Chromium: CVE-2026-13940 Uninitialized Use in Cast Unknown
Microsoft Edge (Chromium-based) CVE-2026-13942 Chromium: CVE-2026-13942 Insufficient validation of untrusted input in Video Capture Unknown
Microsoft Edge (Chromium-based) CVE-2026-13956 Chromium: CVE-2026-13956 Incorrect security UI in PageInfo Unknown
Microsoft Edge (Chromium-based) CVE-2026-13958 Chromium: CVE-2026-13958 Uninitialized Use in Codecs Unknown
Microsoft Edge (Chromium-based) CVE-2026-13957 Chromium: CVE-2026-13957 Incorrect security UI in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13953 Chromium: CVE-2026-13953 Inappropriate implementation in SplitView Unknown
Microsoft Edge (Chromium-based) CVE-2026-13950 Chromium: CVE-2026-13950 Uninitialized Use in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-13951 Chromium: CVE-2026-13951 Policy bypass in USB Unknown
Microsoft Edge (Chromium-based) CVE-2026-13952 Chromium: CVE-2026-13952 Inappropriate implementation in PerformanceAPIs Unknown
Microsoft Edge (Chromium-based) CVE-2026-14052 Chromium: CVE-2026-14052 Insufficient policy enforcement in FileSystem Unknown
Microsoft Edge (Chromium-based) CVE-2026-14138 Chromium: CVE-2026-14138 Inappropriate implementation in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-14144 Chromium: CVE-2026-14144 Incorrect security UI in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-14143 Chromium: CVE-2026-14143 Incorrect security UI in Passwords Unknown
Microsoft Edge (Chromium-based) CVE-2026-14135 Chromium: CVE-2026-14135 Insufficient validation of untrusted input in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14140 Chromium: CVE-2026-14140 Insufficient validation of untrusted input in Input Unknown
Microsoft Edge (Chromium-based) CVE-2026-14141 Chromium: CVE-2026-14141 Incorrect security UI in Document Picture-in-Picture Unknown
Microsoft Edge (Chromium-based) CVE-2026-14142 Chromium: CVE-2026-14142 Inappropriate implementation in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-14152 Chromium: CVE-2026-14152 Out of bounds write in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14150 Chromium: CVE-2026-14150 Insufficient validation of untrusted input in Speech Unknown
Microsoft Edge (Chromium-based) CVE-2026-14149 Chromium: CVE-2026-14149 Use after free in Audio Unknown
Microsoft Edge (Chromium-based) CVE-2026-14147 Chromium: CVE-2026-14147 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14145 Chromium: CVE-2026-14145 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14146 Chromium: CVE-2026-14146 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14148 Chromium: CVE-2026-14148 Type Confusion in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14139 Chromium: CVE-2026-14139 Inappropriate implementation in TabStrip Unknown
Microsoft Edge (Chromium-based) CVE-2026-14124 Chromium: CVE-2026-14124 Inappropriate implementation in CredentialProvider Unknown
Microsoft Edge (Chromium-based) CVE-2026-14125 Chromium: CVE-2026-14125 Uninitialized Use in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14122 Chromium: CVE-2026-14122 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-14121 Chromium: CVE-2026-14121 Use after free in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-14119 Chromium: CVE-2026-14119 Type Confusion in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-14120 Chromium: CVE-2026-14120 Inappropriate implementation in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-14116 Chromium: CVE-2026-14116 Insufficient validation of untrusted input in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-14131 Chromium: CVE-2026-14131 Insufficient validation of untrusted input in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-14132 Chromium: CVE-2026-14132 Inappropriate implementation in WebXR Unknown
Microsoft Edge (Chromium-based) CVE-2026-14134 Chromium: CVE-2026-14134 Inappropriate implementation in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2026-14133 Chromium: CVE-2026-14133 Race in History Embeddings Unknown
Microsoft Edge (Chromium-based) CVE-2026-14127 Chromium: CVE-2026-14127 Inappropriate implementation in Printing Unknown
Microsoft Edge (Chromium-based) CVE-2026-14129 Chromium: CVE-2026-14129 Incorrect security UI in PreviewTab Unknown
Microsoft Edge (Chromium-based) CVE-2026-14130 Chromium: CVE-2026-14130 Incorrect security UI in Omnibox Unknown
Microsoft Edge (Chromium-based) CVE-2026-14151 Chromium: CVE-2026-14151 Inappropriate implementation in AI Unknown
Microsoft Edge (Chromium-based) CVE-2026-13777 Chromium: CVE-2026-13777 Insufficient validation of untrusted input in iOSWeb Unknown
Microsoft Edge (Chromium-based) CVE-2026-13778 Chromium: CVE-2026-13778 Use after free in WebUSB Unknown
Microsoft Edge (Chromium-based) CVE-2026-13788 Chromium: CVE-2026-13788 Use after free in Fullscreen Unknown
Microsoft Edge (Chromium-based) CVE-2026-13861 Chromium: CVE-2026-13861 Use after free in Core Unknown
Microsoft Edge (Chromium-based) CVE-2026-13869 Chromium: CVE-2026-13869 Use after free in Device Unknown
Microsoft Edge (Chromium-based) CVE-2026-13867 Chromium: CVE-2026-13867 Inappropriate implementation in Geolocation Unknown
Microsoft Edge (Chromium-based) CVE-2026-13865 Chromium: CVE-2026-13865 Insufficient validation of untrusted input in Enterprise Unknown
Microsoft Edge (Chromium-based) CVE-2026-13807 Chromium: CVE-2026-13807 Use after free in Import Unknown
Microsoft Edge (Chromium-based) CVE-2026-13812 Chromium: CVE-2026-13812 Insufficient validation of untrusted input in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13809 Chromium: CVE-2026-13809 Side-channel information leakage in Safe Browsing Unknown
Microsoft Edge (Chromium-based) CVE-2026-13805 Chromium: CVE-2026-13805 Use after free in GFX Unknown
Microsoft Edge (Chromium-based) CVE-2026-13791 Chromium: CVE-2026-13791 Insufficient validation of untrusted input in Downloads Unknown
Microsoft Edge (Chromium-based) CVE-2026-13795 Chromium: CVE-2026-13795 Insufficient policy enforcement in Chrome for iOS Unknown
Microsoft Edge (Chromium-based) CVE-2026-13785 Chromium: CVE-2026-13785 Use after free in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-13871 Chromium: CVE-2026-13871 Insufficient data validation in GuestView Unknown
Microsoft Edge (Chromium-based) CVE-2026-13961 Chromium: CVE-2026-13961 Insufficient validation of untrusted input in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-13774 Chromium: CVE-2026-13774 Use after free in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-13881 Chromium: CVE-2026-13881 Insufficient data validation in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-14156 Chromium: CVE-2026-14156 Policy bypass in StorageAccessAPI Unknown
Microsoft Edge (Chromium-based) CVE-2026-14155 Chromium: CVE-2026-14155 Insufficient policy enforcement in StorageAccessAPI Unknown
Microsoft Edge (Chromium-based) CVE-2026-14153 Chromium: CVE-2026-14153 Inappropriate implementation in Glic Unknown
Microsoft Edge (Chromium-based) CVE-2026-14154 Chromium: CVE-2026-14154 Inappropriate implementation in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-13876 Chromium: CVE-2026-13876 Inappropriate implementation in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-13874 Chromium: CVE-2026-13874 Inappropriate implementation in DataTransfer Unknown
Microsoft Edge (Chromium-based) CVE-2026-13873 Chromium: CVE-2026-13873 Out of bounds memory access in Layout Unknown
Microsoft Edge (Chromium-based) CVE-2026-13877 Chromium: CVE-2026-13877 Insufficient validation of untrusted input in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-13882 Chromium: CVE-2026-13882 Inappropriate implementation in USB Unknown
Microsoft Edge (Chromium-based) CVE-2026-13879 Chromium: CVE-2026-13879 Use after free in Bluetooth Unknown
Microsoft Edge (Chromium-based) CVE-2026-13875 Chromium: CVE-2026-13875 Insufficient validation of untrusted input in GPU Unknown
Microsoft Edge (Chromium-based) CVE-2026-14077 Chromium: CVE-2026-14077 Incorrect security UI in Select Unknown
Microsoft Edge (Chromium-based) CVE-2026-14076 Chromium: CVE-2026-14076 Policy bypass in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14079 Chromium: CVE-2026-14079 Policy bypass in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14078 Chromium: CVE-2026-14078 Policy bypass in WebRTC Unknown
Microsoft Edge (Chromium-based) CVE-2026-14072 Chromium: CVE-2026-14072 Incorrect security UI in SplitView Unknown
Microsoft Edge (Chromium-based) CVE-2026-14070 Chromium: CVE-2026-14070 Uninitialized Use in WebNN Unknown
Microsoft Edge (Chromium-based) CVE-2026-14073 Chromium: CVE-2026-14073 Insufficient policy enforcement in WebXR Unknown
Microsoft Edge (Chromium-based) CVE-2026-14071 Chromium: CVE-2026-14071 Side-channel information leakage in WebAudio Unknown
Microsoft Edge (Chromium-based) CVE-2026-14084 Chromium: CVE-2026-14084 Insufficient validation of untrusted input in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-14083 Chromium: CVE-2026-14083 Insufficient validation of untrusted input in HTML Unknown
Microsoft Edge (Chromium-based) CVE-2026-14086 Chromium: CVE-2026-14086 Insufficient policy enforcement in HID Unknown
Microsoft Edge (Chromium-based) CVE-2026-14085 Chromium: CVE-2026-14085 Side-channel information leakage in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14080 Chromium: CVE-2026-14080 Insufficient validation of untrusted input in TabSwitcher Unknown
Microsoft Edge (Chromium-based) CVE-2026-14081 Chromium: CVE-2026-14081 Insufficient policy enforcement in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-14074 Chromium: CVE-2026-14074 Side-channel information leakage in WebAuthentication Unknown
Microsoft Edge (Chromium-based) CVE-2026-14082 Chromium: CVE-2026-14082 Race in Storage Unknown
Microsoft Edge (Chromium-based) CVE-2026-14058 Chromium: CVE-2026-14058 Policy bypass in Parser Unknown
Microsoft Edge (Chromium-based) CVE-2026-14057 Chromium: CVE-2026-14057 Insufficient policy enforcement in FedCM Unknown
Microsoft Edge (Chromium-based) CVE-2026-14062 Chromium: CVE-2026-14062 Inappropriate implementation in Views Unknown
Microsoft Edge (Chromium-based) CVE-2026-14060 Chromium: CVE-2026-14060 Insufficient validation of untrusted input in Chromoting Unknown
Microsoft Edge (Chromium-based) CVE-2026-14053 Chromium: CVE-2026-14053 Insufficient policy enforcement in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2026-14055 Chromium: CVE-2026-14055 Insufficient validation of untrusted input in Device Trust Unknown
Microsoft Edge (Chromium-based) CVE-2026-14054 Chromium: CVE-2026-14054 Insufficient policy enforcement in Network Unknown
Microsoft Edge (Chromium-based) CVE-2026-14056 Chromium: CVE-2026-14056 Insufficient validation of untrusted input in Media Unknown
Microsoft Edge (Chromium-based) CVE-2026-14068 Chromium: CVE-2026-14068 Inappropriate implementation in Omnibox Unknown
Microsoft Edge (Chromium-based) CVE-2026-14065 Chromium: CVE-2026-14065 Insufficient validation of untrusted input in PageInfo Unknown
Microsoft Edge (Chromium-based) CVE-2026-14069 Chromium: CVE-2026-14069 Integer overflow in WebNN Unknown
Microsoft Edge (Chromium-based) CVE-2026-14026 Chromium: CVE-2026-14026 Incorrect security UI in SplitView Unknown
Microsoft Edge (Chromium-based) CVE-2026-14061 Chromium: CVE-2026-14061 Inappropriate implementation in Dawn Unknown
Microsoft Edge (Chromium-based) CVE-2026-14059 Chromium: CVE-2026-14059 Insufficient policy enforcement in Related-Website-Sets Unknown
Microsoft Edge (Chromium-based) CVE-2026-14064 Chromium: CVE-2026-14064 Use after free in PageInfo Unknown
Microsoft Edge (Chromium-based) CVE-2026-14063 Chromium: CVE-2026-14063 Out of bounds memory access in Chromecast Unknown
Microsoft Edge (Chromium-based) CVE-2026-14087 Chromium: CVE-2026-14087 Insufficient validation of untrusted input in WebNN Unknown
Microsoft Edge (Chromium-based) CVE-2026-14091 Chromium: CVE-2026-14091 Use after free in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-14107 Chromium: CVE-2026-14107 Use after free in Scheduling Unknown
Microsoft Edge (Chromium-based) CVE-2026-14108 Chromium: CVE-2026-14108 Use after free in PDFium Unknown
Microsoft Edge (Chromium-based) CVE-2026-14106 Chromium: CVE-2026-14106 Insufficient validation of untrusted input in Text Unknown
Microsoft Edge (Chromium-based) CVE-2026-14098 Chromium: CVE-2026-14098 Inappropriate implementation in CSS Unknown
Microsoft Edge (Chromium-based) CVE-2026-14118 Chromium: CVE-2026-14118 Insufficient data validation in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-14105 Chromium: CVE-2026-14105 Insufficient policy enforcement in Speech Unknown
Microsoft Edge (Chromium-based) CVE-2026-14115 Chromium: CVE-2026-14115 Insufficient validation of untrusted input in Cast Unknown
Microsoft Edge (Chromium-based) CVE-2026-14112 Chromium: CVE-2026-14112 Inappropriate implementation in Enterprise Unknown
Microsoft Edge (Chromium-based) CVE-2026-14117 Chromium: CVE-2026-14117 Insufficient validation of untrusted input in DevTools Unknown
Microsoft Edge (Chromium-based) CVE-2026-14113 Chromium: CVE-2026-14113 Use after free in Updater Unknown
Microsoft Edge (Chromium-based) CVE-2026-14109 Chromium: CVE-2026-14109 Insufficient policy enforcement in Mojo Unknown
Microsoft Edge (Chromium-based) CVE-2026-14110 Chromium: CVE-2026-14110 Inappropriate implementation in DarkMode Unknown
Microsoft Edge (Chromium-based) CVE-2026-14111 Chromium: CVE-2026-14111 Use after free in WebProtect Unknown
Microsoft Edge (Chromium-based) CVE-2026-14093 Chromium: CVE-2026-14093 Use after free in Cast Unknown
Microsoft Edge (Chromium-based) CVE-2026-14095 Chromium: CVE-2026-14095 Insufficient validation of untrusted input in Browser Unknown
Microsoft Edge (Chromium-based) CVE-2026-14097 Chromium: CVE-2026-14097 Inappropriate implementation in WebAppInstalls Unknown
Microsoft Edge (Chromium-based) CVE-2026-14094 Chromium: CVE-2026-14094 Use after free in Installer Unknown
Microsoft Edge (Chromium-based) CVE-2026-14088 Chromium: CVE-2026-14088 Uninitialized Use in Canvas Unknown
Microsoft Edge (Chromium-based) CVE-2026-14089 Chromium: CVE-2026-14089 Insufficient validation of untrusted input in PopupBlocker Unknown
Microsoft Edge (Chromium-based) CVE-2026-14092 Chromium: CVE-2026-14092 Insufficient policy enforcement in Privacy Unknown
Microsoft Edge (Chromium-based) CVE-2026-14090 Chromium: CVE-2026-14090 Out of bounds read in CameraCapture Unknown
Microsoft Edge (Chromium-based) CVE-2026-14100 Chromium: CVE-2026-14100 Insufficient data validation in NetworkCache Unknown
Microsoft Edge (Chromium-based) CVE-2026-14103 Chromium: CVE-2026-14103 Use after free in SSL Unknown
Microsoft Edge (Chromium-based) CVE-2026-13883 Chromium: CVE-2026-13883 Type Confusion in ANGLE Unknown
Microsoft Edge (Chromium-based) CVE-2026-14102 Chromium: CVE-2026-14102 Use after free in Passwords Unknown
Microsoft Edge for Android CVE-2026-58299 Microsoft Edge for Android Remote Code Execution Vulnerability Important
Microsoft Edge for Android CVE-2026-58523 Microsoft Edge for Android Security Feature Bypass Vulnerability Important
Microsoft Edge for Android CVE-2026-58300 Microsoft Edge for Android Information Disclosure Vulnerability Important
Microsoft Edge for Android CVE-2026-58296 Microsoft Edge for Android Information Disclosure Vulnerability Important
Microsoft Edge for Android CVE-2026-58297 Microsoft Edge for Android Information Disclosure Vulnerability Important
Microsoft Edge for Android CVE-2026-58522 Microsoft Edge for Android Information Disclosure Vulnerability Important
Microsoft Entra Provisioning Service (SyncFabric) CVE-2026-57100 Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability Critical
Microsoft Exchange Online CVE-2026-54998 Microsoft Exchange Online Elevation of Privilege Vulnerability Critical
Microsoft Exchange Server CVE-2026-55006 Microsoft Exchange Server Elevation of Privilege Vulnerability Important
Microsoft Exchange Server CVE-2026-55005 Microsoft Exchange Server Remote Code Execution Vulnerability Important
Microsoft Exchange Server CVE-2026-55008 Microsoft Exchange Server Spoofing Vulnerability Critical
Microsoft Exchange Server CVE-2026-55009 Microsoft Exchange Server Elevation of Privilege Vulnerability Important
Microsoft Fabric Data Warehouse CVE-2026-56642 Microsoft Fabric Data Warehouse Remote Code Execution Vulnerability Important
Microsoft Graphics Component CVE-2026-58609 Windows Graphics Component Remote Code Execution Vulnerability Important
Microsoft Graphics Component CVE-2026-50483 Windows Graphics Component Information Disclosure Vulnerability Important
Microsoft Input Method Editor (IME) CVE-2026-58534 Windows Input Method Editor (IME) Elevation of Privilege Vulnerability Important
Microsoft Install Service CVE-2026-50343 Microsoft Install Service Elevation of Privilege Vulnerability Important
Microsoft NAT Helper Components (ipnathlp.dll) CVE-2026-58537 Microsoft NAT Helper Components (ipnathlp.dll) Elevation of Privilege Vulnerability Important
Microsoft Office CVE-2026-55047 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55028 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55026 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55027 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55129 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55035 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55049 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55045 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55125 Microsoft Office Remote Code Execution Vulnerability Important
Microsoft Office CVE-2026-50301 Microsoft Office Remote Code Execution Vulnerability Important
Microsoft Office CVE-2026-50314 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-56193 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-47290 Microsoft Office Remote Code Execution Vulnerability Important
Microsoft Office CVE-2026-50467 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55022 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55023 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55017 Microsoft Office Remote Code Execution Vulnerability Important
Microsoft Office CVE-2026-55018 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-50665 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55140 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55121 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-56192 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-56195 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55139 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55042 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office CVE-2026-55056 Microsoft Office Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2026-55057 Microsoft Office Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55949 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55024 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-50408 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55947 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55898 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-58618 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-50678 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-54988 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55039 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-50675 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-47642 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-48580 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55899 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55948 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-54131 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55041 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55138 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55137 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55058 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55136 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55054 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55036 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55141 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55037 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55025 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55031 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55046 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55044 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55048 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55122 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office Excel CVE-2026-55053 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55131 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-55029 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2026-56156 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office OneNote CVE-2026-55133 Microsoft OneNote Remote Code Execution Vulnerability Important
Microsoft Office PowerPoint CVE-2026-55120 Microsoft PowerPoint Remote Code Execution Vulnerability Critical
Microsoft Office PowerPoint CVE-2026-55043 Microsoft PowerPoint Remote Code Execution Vulnerability Critical
Microsoft Office PowerPoint CVE-2026-55123 Microsoft PowerPoint Remote Code Execution Vulnerability Critical
Microsoft Office SharePoint CVE-2026-56157 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-55126 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-55051 Microsoft SharePoint Server Information Disclosure Vulnerability Important
Microsoft Office SharePoint CVE-2026-55040 Microsoft SharePoint Server Security Feature Bypass Vulnerability Critical
Microsoft Office SharePoint CVE-2026-56164 Microsoft SharePoint Server Elevation of Privilege Vulnerability Moderate
Microsoft Office SharePoint CVE-2026-55052 Microsoft SharePoint Elevation of Privilege Vulnerability Important
Microsoft Office SharePoint CVE-2026-55135 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-58644 Microsoft SharePoint Remote Code Execution Vulnerability Critical
Microsoft Office SharePoint CVE-2026-54108 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-55021 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-55020 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-58277 Microsoft SharePoint Elevation of Privilege Vulnerability Important
Microsoft Office SharePoint CVE-2026-55030 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-50522 Microsoft SharePoint Remote Code Execution Vulnerability Critical
Microsoft Office SharePoint CVE-2026-55034 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-55019 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office SharePoint CVE-2026-55016 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office Word CVE-2026-55055 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office Word CVE-2026-55142 Microsoft Word Information Disclosure Vulnerability Important
Microsoft Office Word CVE-2026-55130 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office Word CVE-2026-55128 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office Word CVE-2026-55032 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office Word CVE-2026-55038 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office Word CVE-2026-55127 Microsoft Word Remote Code Execution Vulnerability Critical
Microsoft Office Word CVE-2026-55033 Microsoft Word Remote Code Execution Vulnerability Critical
Microsoft Office Word CVE-2026-55124 Microsoft Word Information Disclosure Vulnerability Important
Microsoft Office Word CVE-2026-55050 Microsoft Word Information Disclosure Vulnerability Important
Microsoft Office Word CVE-2026-55134 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office Word CVE-2026-55132 Microsoft Word Remote Code Execution Vulnerability Critical
Microsoft Printer Drivers CVE-2026-49166 Windows Print Configuration Elevation of Privilege Vulnerability Important
Microsoft Printer Drivers CVE-2026-55004 Windows Print Configuration Elevation of Privilege Vulnerability Important
Microsoft Surface CVE-2026-48581 Surface Broker SDMA Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2026-50476 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows App Store CVE-2026-49165 Microsoft Windows App Store Information Disclosure Vulnerability Important
Microsoft Windows App Store CVE-2026-49784 Microsoft Windows App Store Elevation of Privilege Vulnerability Important
Microsoft Windows App Store CVE-2026-50356 Microsoft Windows App Store Elevation of Privilege Vulnerability Important
Microsoft Windows App Store CVE-2026-42900 Microsoft Windows App Store Elevation of Privilege Vulnerability Important
Microsoft Windows Codecs Library CVE-2026-57083 Windows Media Photo Codec Information Disclosure Vulnerability Important
Microsoft Windows Media Foundation CVE-2026-56189 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical
Microsoft Windows Media Foundation CVE-2026-57087 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical
Microsoft Windows Media Foundation CVE-2026-57094 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical
Microsoft Windows Media Foundation CVE-2026-57090 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical
Microsoft Windows Media Foundation CVE-2026-58610 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important
Microsoft Windows Media Foundation CVE-2026-54993 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important
Microsoft Windows Search Component CVE-2026-50373 Windows Search Service Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2026-50679 Windows Search Service Elevation of Privilege Vulnerability Important
Microsoft Windows Speech CVE-2026-49171 Windows Speech Runtime Elevation of Privilege Vulnerability Important
Microsoft XML CVE-2026-57097 Microsoft XML Security Feature Bypass Vulnerability Important
Microsoft XML Core Services CVE-2026-50359 Microsoft XML Core Services Elevation of Privilege Vulnerability Important
Minecraft Bedrock Dedicated Server CVE-2026-55010 Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability Critical
Outlook Copilot CVE-2026-55145 Outlook Copilot Tampering Vulnerability Moderate
Power BI CVE-2026-58647 Microsoft PowerBI Report Server Spoofing Vulnerability Important
Quality Windows Audio/Video Experience (QWAVE) service CVE-2026-54989 Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability Important
Reliable Multicast Transport Driver (RMCAST) CVE-2026-54995 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability Critical
Reliable Multicast Transport Driver (RMCAST) CVE-2026-54982 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability Critical
Remote Desktop Client CVE-2026-50474 Remote Desktop Client Remote Code Execution Vulnerability Critical
Remote Desktop Client CVE-2026-54990 Remote Desktop Client Remote Code Execution Vulnerability Important
Remote Desktop Client CVE-2026-50330 Windows Remote Desktop Client Elevation of Privilege Vulnerability Important
Remote Desktop Client CVE-2026-50504 Windows Remote Desktop Client Information Disclosure Vulnerability Important
Role: DNS Server CVE-2026-50426 Windows DNS Server Remote Code Execution Vulnerability Important
Role: DNS Server CVE-2026-49169 Windows DNS Server Remote Code Execution Vulnerability Important
RPC Runtime CVE-2026-50346 Netlogon RPC Elevation of Privilege Vulnerability Important
SQL Server CVE-2026-54118 Microsoft SQL Server Remote Code Execution Vulnerability Critical
SQL Server CVE-2026-47296 Microsoft SQL Server Elevation of Privilege Vulnerability Important
SQL Server CVE-2026-54116 Microsoft SQL Server Information Disclosure Vulnerability Important
SQL Server CVE-2026-47295 Microsoft SQL Server Elevation of Privilege Vulnerability Important
SQL Server CVE-2026-55002 Microsoft SQL Server Elevation of Privilege Vulnerability Important
SQL Server CVE-2026-50468 Microsoft SQL Server Information Disclosure Vulnerability Important
SQL Server CVE-2026-54117 Microsoft SQL Server Remote Code Execution Vulnerability Critical
SQL Server ODBC driver CVE-2026-42990 SQL Server ODBC driver Elevation of Privilege Vulnerability Important
Universal Plug and Play (upnp.dll) CVE-2026-49180 Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability Important
Universal Plug and Play (upnp.dll) CVE-2026-58547 Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability Important
Universal Plug and Play (upnp.dll) CVE-2026-50455 Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability Important
Virtual Hard Disk (VHD) Miniport Driver CVE-2026-58601 Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability Important
Visual Studio CVE-2026-47305 Visual Studio Remote Code Execution Vulnerability Important
Visual Studio Code CVE-2026-50520 Visual Studio Code Remote Code Execution Vulnerability Important
Visual Studio Code CVE-2026-45496 Visual Studio Code Security Feature Bypass Vulnerability Important
Visual Studio Code CVE-2026-57102 Visual Studio Code Security Feature Bypass Vulnerability Important
Visual Studio Code CVE-2026-57101 Visual Studio Code Security Feature Bypass Vulnerability Important
Window PC Manager CVE-2026-50438 Microsoft PC Manager Elevation of Privilege Vulnerability Important
Window PC Manager CVE-2026-58636 Microsoft PC Manager Elevation of Privilege Vulnerability Important
Windows Active Directory CVE-2026-55001 Active Directory Domain Services Elevation of Privilege Vulnerability Important
Windows Active Directory CVE-2026-50682 Active Directory Denial of Service Vulnerability Important
Windows Active Directory CVE-2026-54119 Windows Active Directory Denial of Service Vulnerability Important
Windows Active Directory CVE-2026-54115 Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important
Windows Admin Center CVE-2026-57107 Windows Admin Center Elevation of Privilege Vulnerability Important
Windows Admin Center CVE-2026-58631 Windows Admin Center (WAC) Remote Code Execution Vulnerability Important
Windows Admin Center CVE-2026-56169 Windows Admin Center Elevation of Privilege Vulnerability Important
Windows Admin Center CVE-2026-56185 Windows Admin Center Information Disclosure Vulnerability Important
Windows Admin Center CVE-2026-56196 Windows Admin Center (WAC) Remote Code Execution Vulnerability Important
Windows Admin Center CVE-2026-56197 Windows Admin Center (WAC) Remote Code Execution Vulnerability Important
Windows Ancillary Function Driver for WinSock CVE-2026-57093 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important
Windows Ancillary Function Driver for WinSock CVE-2026-50312 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important
Windows Ancillary Function Driver for WinSock CVE-2026-34346 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability Important
Windows Ancillary Function Driver for WinSock CVE-2026-50462 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important
Windows App Installer CVE-2026-48571 Windows App Package Installer Elevation of Privilege Vulnerability Important
Windows App Installer CVE-2026-48572 Windows App Package Installer Elevation of Privilege Vulnerability Important
Windows App Installer CVE-2026-50400 Windows App Package Installer Elevation of Privilege Vulnerability Important
Windows Application Model CVE-2026-50331 Windows Application Model Core API Elevation of Privilege Vulnerability Important
Windows AppX Deployment Service CVE-2026-49803 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important
Windows Audio Compression Manager (ACM) CVE-2026-50351 Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability Important
Windows Audio Service CVE-2026-34328 Windows Audio Service Information Disclosure Vulnerability Important
Windows Audio Service CVE-2026-50440 Windows Audio Service Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2026-50406 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows BitLocker CVE-2026-50661 Windows BitLocker Security Feature Bypass Vulnerability Important
Windows Bluetooth Port Driver CVE-2026-42975 Windows Bluetooth Port Driver Remote Code Execution Important
Windows Bluetooth Service CVE-2026-58538 Windows Bluetooth Service Elevation of Privilege Vulnerability Important
Windows Boot Loader CVE-2026-58638 Windows Boot Loader Security Feature Bypass Vulnerability Important
Windows Brokering File System CVE-2026-50466 Microsoft Brokering File System Elevation of Privilege Vulnerability Important
Windows Brokering File System CVE-2026-49162 Microsoft Brokering File System Elevation of Privilege Vulnerability Important
Windows Brokering File System CVE-2026-50305 Microsoft Brokering File System Elevation of Privilege Vulnerability Important
Windows Brokering File System CVE-2026-50361 Microsoft Brokering File System Elevation of Privilege Vulnerability Important
Windows Brokering File System CVE-2026-50458 Microsoft Brokering File System Elevation of Privilege Vulnerability Important
Windows Client-Side Caching (CSC) Service CVE-2026-58637 Windows Client-Side Caching Elevation of Privilege Vulnerability Important
Windows Clip Service CVE-2026-50384 Windows Clip Service Elevation of Privilege Vulnerability Important
Windows Clipboard Server CVE-2026-50689 Windows Clipboard Server Elevation of Privilege Vulnerability Important
Windows Clipboard Server CVE-2026-49183 Windows Clipboard Server Elevation of Privilege Vulnerability Important
Windows Clipboard User Service CVE-2026-50488 Clipboard User Service Elevation of Privilege Vulnerability Important
Windows Cloud Files Mini Filter Driver CVE-2026-50374 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Windows Cloud Files Mini Filter Driver CVE-2026-50401 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important
Windows Cloud Files Mini Filter Driver CVE-2026-58613 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Windows Cloud Files Mini Filter Driver CVE-2026-58536 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Windows Common Log File System Driver CVE-2026-50697 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important
Windows Connected User Experiences and Telemetry CVE-2026-50421 Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability Important
Windows Container Isolation FS Filter Driver (unionfs.sys) CVE-2026-50428 Windows Container Isolation FS Filter Driver (unionfs.sys) Information Disclosure Vulnerability Important
Windows CryptoAPI CVE-2026-55144 Windows Cryptography API: Next Generation (CNG) Tampering Vulnerability Important
Windows Cryptographic Services CVE-2026-50681 Windows Secure Channel Information Disclosure Vulnerability Important
Windows Cryptographic Services CVE-2026-44806 Windows Secure Channel Denial of Service Vulnerability Important
Windows Cryptographic Services CVE-2026-50302 Windows Cryptographic Services Security Feature Bypass Vulnerability Important
Windows Cryptographic Services CVE-2026-50352 Windows Cryptographic Services Information Disclosure Vulnerability Important
Windows Data.dll CVE-2026-50347 Windows Data.dll Remote Code Execution Vulnerability Important
Windows Devices Human Interface CVE-2026-50310 Windows Human Interface Device Information Disclosure Vulnerability Important
Windows DHCP Client CVE-2026-54128 Windows DHCP Client Remote Code Execution Vulnerability Critical
Windows DHCP Client CVE-2026-49181 Windows DHCP Client Elevation of Privilege Vulnerability Important
Windows DHCP Server CVE-2026-50518 Windows DHCP Server Remote Code Execution Vulnerability Critical
Windows DHCP Server CVE-2026-50370 DHCP Server Service Remote Code Execution Vulnerability Critical
Windows DHCP Server CVE-2026-50683 Windows DHCP Client Elevation of Privilege Vulnerability Important
Windows DHCP Server CVE-2026-50685 Windows DHCP Server Remote Code Execution Vulnerability Important
Windows DHCP Server CVE-2026-58627 Windows DHCP Server Denial of Service Vulnerability Important
Windows DHCP Server CVE-2026-56159 DHCP Server Service Remote Code Execution Vulnerability Critical
Windows DHCP Server CVE-2026-48564 DHCP Server Service Remote Code Execution Vulnerability Critical
Windows DirectX CVE-2026-50353 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows DirectX CVE-2026-50382 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical
Windows DirectX CVE-2026-49807 Windows DirectX Information Disclosure Vulnerability Important
Windows DirectX CVE-2026-58629 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows DirectX CVE-2026-50375 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows DNS CVE-2026-50465 Windows DNS Client Tampering Vulnerability Important
Windows DNS CVE-2026-50487 Windows DNS Client Elevation of Privilege Vulnerability Important
Windows DNS CVE-2026-50495 DNS Client Tampering Vulnerability Important
Windows DNS CVE-2026-49174 DNS Client Tampering Vulnerability Important
Windows DNS CVE-2026-50295 Windows Zero Trust DNS Security Feature Bypass Vulnerability Important
Windows DNS CVE-2026-49175 Windows DNS Client Elevation of Privilege Vulnerability Important
Windows Domain Controller CVE-2026-50424 Windows Domain Controller Denial of Service Vulnerability Important
Windows DWM CVE-2026-58541 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important
Windows DWM Core Library CVE-2026-50437 Windows DWM Core Library Information Disclosure Vulnerability Important
Windows Event Logging Service CVE-2026-50502 Windows Event Logging Service Remote Code Execution Vulnerability Important
Windows Event Logging Service CVE-2026-34348 Windows Event Logging Service Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-33842 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-50389 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-57084 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-41087 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-50442 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-50456 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-50473 Windows File Explorer Information Disclosure Vulnerability Important
Windows File Explorer CVE-2026-40422 Windows File Explorer Information Disclosure Vulnerability Important
Windows File History Service CVE-2026-57091 Windows File History Service Elevation of Privilege Vulnerability Important
Windows Filtering Platform (WFP) CVE-2026-50405 Windows Filtering Platform Elevation of Privilege Vulnerability Important
Windows FTP Service CVE-2026-49172 Windows FTP Service Remote Code Execution Vulnerability Important
Windows GDI CVE-2026-50387 Windows GDI Elevation of Privilege Vulnerability Important
Windows GDI+ CVE-2026-49796 Windows GDI+ Remote Code Execution Vulnerability Critical
Windows GDI+ CVE-2026-54122 Windows GDI+ Remote Code Execution Vulnerability Important
Windows GDI+ CVE-2026-50380 Windows GDI+ Remote Code Execution Vulnerability Critical
Windows Graphics Kernel CVE-2026-50296 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows Graphics Kernel CVE-2026-50493 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows Group Policy CVE-2026-50391 Windows Group Policy Elevation of Privilege Vulnerability Important
Windows HTTP.sys CVE-2026-50420 HTTP.sys Information Disclosure Vulnerability Important
Windows HTTP.sys CVE-2026-49787 HTTP.sys Denial of Service Vulnerability Important
Windows Hyper-V CVE-2026-50485 Windows Hyper-V Denial of Service Vulnerability Important
Windows Hyper-V CVE-2026-54129 Windows Hyper-V Elevation of Privilege Vulnerability Important
Windows Hyper-V CVE-2026-50680 Windows Hyper-V Elevation of Privilege Vulnerability Critical
Windows Hyper-V CVE-2026-54127 Windows Hyper-V Elevation of Privilege Vulnerability Critical
Windows Image Acquisition CVE-2026-50315 Windows Image Acquisition Elevation of Privilege Vulnerability Important
Windows Installer CVE-2026-50490 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2026-58540 Windows Installer Elevation of Privilege Vulnerability Important
Windows Internal System User Profile CVE-2026-50425 Windows Internal System User Profile Elevation of Privilege Vulnerability Important
Windows Internal Task Bar CVE-2026-50293 Windows Internal Task Bar Elevation of Privilege Vulnerability Important
Windows Internet Key Exchange (IKE) Protocol CVE-2026-50696 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability Important
Windows Kernel CVE-2026-50688 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-58545 Windows Kernel Security Feature Bypass Vulnerability Important
Windows Kernel CVE-2026-56644 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-56643 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50377 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50329 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-49173 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50475 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50463 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50354 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50419 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50429 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50423 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50316 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50687 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50294 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50399 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50390 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50673 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50436 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50397 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-58532 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-49798 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-54132 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-49795 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-58614 Windows Kernel Security Feature Bypass Vulnerability Important
Windows Kernel CVE-2026-49167 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50478 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50332 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50670 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50459 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50477 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-50300 Windows DWM Core Library Information Disclosure Vulnerability Important
Windows Kernel CVE-2026-50484 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2026-49808 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel Mode Driver CVE-2026-58602 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important
Windows Kernel-Mode Drivers CVE-2026-50393 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important
Windows Kernel-Mode Drivers CVE-2026-50396 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important
Windows Key Guard CVE-2026-50378 Windows Key Guard Elevation of Privilege Vulnerability Important
Windows Key Guard CVE-2026-50303 Windows Key Guard Security Feature Bypass Vulnerability Important
Windows Local Security Authority Subsystem Service (LSASS) CVE-2026-40378 Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability Important
Windows Local Security Authority Subsystem Service (LSASS) CVE-2026-49799 Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability Important
Windows LUAFV CVE-2026-50371 Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability Important
Windows Management Services CVE-2026-58544 Windows Management Services Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-34349 Windows Media Information Disclosure Vulnerability Important
Windows Media CVE-2026-50379 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-58542 Windows Media Remote Code Execution Vulnerability Critical
Windows Media CVE-2026-50677 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50358 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50676 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50327 Windows Media Remote Code Execution Vulnerability Critical
Windows Media CVE-2026-50404 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50655 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical
Windows Media CVE-2026-50415 Windows Media Information Disclosure Vulnerability Important
Windows Media CVE-2026-50414 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50433 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50394 Windows Media Information Disclosure Vulnerability Important
Windows Media CVE-2026-50336 Windows Media Elevation of Privilege Vulnerability Important
Windows Media CVE-2026-50398 Windows Media Elevation of Privilege Vulnerability Important
Windows Message Queuing CVE-2026-50447 Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability Important
Windows Message Queuing CVE-2026-50505 Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability Important
Windows Message Queuing Queue Manager CVE-2026-50439 Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability Important
Windows Message Queuing Queue Manager CVE-2026-54992 Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability Critical
Windows MIDI Service Module CVE-2026-56183 Windows MIDI Service Module Elevation of Privileges Vulnerability Important
Windows MIDI Service Module CVE-2026-50342 Windows MIDI Service Module Elevation of Privileges Vulnerability Important
Windows MIDI Service Module CVE-2026-56187 Windows MIDI Service Module Elevation of Privileges Vulnerability Important
Windows Narrator Braille CVE-2026-58635 Windows Narrator Braille Elevation of Privilege Vulnerability Important
Windows Netlogon CVE-2026-50500 Windows Netlogon Elevation of Privilege Vulnerability Important
Windows Network Address Translation (NAT) CVE-2026-56181 Windows Network Address Translation (NAT) Spoofing Vulnerability Moderate
Windows Network File System CVE-2026-56650 Windows Network File System Elevation of Privilege Vulnerability Important
Windows Network File System CVE-2026-56648 Windows NFS Server Elevation of Privilege Vulnerability Important
Windows Network File System CVE-2026-56194 Windows NFS Server Elevation of Privilege Vulnerability Important
Windows Network File System CVE-2026-56649 Windows Network File System Remote Code Execution Vulnerability Important
Windows Network Policy Server SNMP CVE-2026-50496 Windows Network Policy Server SNMP Information Disclosure Vulnerability Important
Windows Network Policy Server SNMP CVE-2026-50470 Windows Network Policy Server SNMP Information Disclosure Vulnerability Important
Windows Notification CVE-2026-50337 Windows Notification Elevation of Privilege Vulnerability Important
Windows Notification CVE-2026-50334 Windows Push Notification Information Disclosure Vulnerability Important
Windows NTFS CVE-2026-50422 Windows NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50341 Windows NTFS Information Disclosure Vulnerability Important
Windows NTFS CVE-2026-50308 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50471 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50402 NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50388 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50313 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50417 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50309 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-56175 Windows NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50494 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-56182 Windows NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50482 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-58640 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50386 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50672 Windows NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50668 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-49789 Windows NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-49797 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50448 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-49184 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2026-50412 Windows NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50667 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2026-50461 Windows NTFS Remote Code Execution Vulnerability Important
Windows OLE CVE-2026-50686 Windows OLE Remote Code Execution Vulnerability Important
Windows OLE CVE-2026-50344 Windows OLE Elevation of Privilege Vulnerability Important
Windows Operating Systems CVE-2026-50317 Windows Operating Systems Elevation of Privilege Vulnerability Important
Windows Operating Systems CVE-2026-50335 Windows Operating Systems Elevation of Privilege Vulnerability Important
Windows Overlay Filter CVE-2026-54987 Windows Overlay Filter Elevation of Privilege Vulnerability Important
Windows Overlay Filter CVE-2026-50435 Windows Overlay Filter Elevation of Privilege Vulnerability Important
Windows Overlay Filter CVE-2026-50409 Windows Overlay Filter Information Disclosure Vulnerability Important
Windows PowerShell CVE-2026-40400 Windows PowerShell Remote Code Execution Vulnerability Important
Windows Print Spooler Components CVE-2026-57085 Windows Print Spooler Information Disclosure Vulnerability Important
Windows Print Spooler Components CVE-2026-50499 Windows Print Spooler Elevation of Privilege Vulnerability Important
Windows Print Spooler Components CVE-2026-50383 Windows Print Spooler Information Disclosure Vulnerability Important
Windows Print Spooler Components CVE-2026-58608 Windows Print Spooler Remote Code Execution Vulnerability Critical
Windows Projected File System CVE-2026-50469 Windows Projected File System Elevation of Privilege Vulnerability Important
Windows Push Notifications CVE-2026-50430 Windows Push Notification Information Disclosure Vulnerability Important
Windows Push Notifications CVE-2026-44800 Windows Push Notifications Elevation of Privilege Vulnerability Important
Windows Push Notifications CVE-2026-50434 Windows Push Notification Information Disclosure Vulnerability Important
Windows Push Notifications CVE-2026-50339 Windows Push Notification Information Disclosure Vulnerability Important
Windows Push Notifications CVE-2026-50363 Windows Push Notifications Elevation of Privilege Vulnerability Important
Windows Quality of Service (QoS) Packet Scheduler CVE-2026-50431 Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability Important
Windows RDP CVE-2026-57982 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows RDP CVE-2026-57979 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows RDP CVE-2026-56190 Remote Desktop Protocol Remote Code Execution Vulnerability Important
Windows RDP CVE-2026-58594 Remote Desktop Client Remote Code Execution Vulnerability Important
Windows RDP CVE-2026-55003 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows RDP CVE-2026-58546 Windows Remote Desktop Client Information Disclosure Vulnerability Important
Windows RDP CVE-2026-58533 Windows Remote Desktop Client Information Disclosure Vulnerability Important
Windows RDP CVE-2026-58535 Windows Remote Desktop Client Information Disclosure Vulnerability Important
Windows RDP CVE-2026-50376 Windows Remote Desktop Client Information Disclosure Vulnerability Important
Windows RDP CVE-2026-58539 Windows Remote Desktop Client Information Disclosure Vulnerability Important
Windows RDP CVE-2026-50445 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows RDP CVE-2026-54126 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows Redirected Drive Buffering CVE-2026-50372 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Important
Windows Remote Access Connection Manager CVE-2026-50666 Windows Remote Access Elevation of Privilege Vulnerability Important
Windows Remote Access Service Infrastructure CVE-2026-56647 Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability Important
Windows Remote Desktop Protocol CVE-2026-50497 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows Remote Desktop Services CVE-2026-58626 Windows Remote Desktop Services Remote Code Execution Vulnerability Important
Windows Remote Desktop Services CVE-2026-50369 Windows Remote Desktop Services Elevation of Privilege Vulnerability Important
Windows Remote Help Defense CVE-2026-55014 Windows Remote Help Defense Elevation of Privilege Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50492 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50501 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50357 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-58530 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50318 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-49792 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-49793 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50362 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-54109 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50407 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important
Windows Resilient File System (ReFS) CVE-2026-50441 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important
Windows Routing and Remote Access Service (RRAS) CVE-2026-57096 Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability Important
Windows Routing and Remote Access Service (RRAS) CVE-2026-50451 Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability Important
Windows Routing and Remote Access Service (RRAS) CVE-2026-49791 Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability Important
Windows RPC API CVE-2026-50365 Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-54125 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50323 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50449 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50460 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50403 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50410 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50340 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50322 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50345 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50452 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50486 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50503 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50457 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50385 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50413 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-50348 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Runtime CVE-2026-58527 Windows Runtime Elevation of Privilege Vulnerability Important
Windows Schannel CVE-2026-56186 Windows Secure Channel Information Disclosure Vulnerability Important
Windows Secure Boot CVE-2026-49783 Secure Boot Security Feature Bypass Vulnerability Important
Windows Secure Kernel Mode CVE-2026-50392 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Critical
Windows Secure Kernel Mode CVE-2026-42982 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Critical
Windows Secure Socket Tunneling Protocol (SSTP) CVE-2026-50694 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical
Windows Sensor Data Service CVE-2026-58619 Windows Sensor Data Service Elevation of Privilege Vulnerability Important
Windows Sensor Data Service CVE-2026-50367 Windows Sensor Data Service Elevation of Privilege Vulnerability Important
Windows Server CVE-2026-50311 Windows Server Elevation of Privilege Vulnerability Important
Windows Server Backup CVE-2026-50364 Windows Backup Service Elevation of Privilege Vulnerability Important
Windows Server Network driver CVE-2026-56188 Windows Server Network driver Remote Code Execution Vulnerability Critical
Windows Server Update Service CVE-2026-50328 Windows Server Update Service (WSUS) Tampering Vulnerability Important
Windows Server Update Service CVE-2026-50444 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability Critical
Windows SMB CVE-2026-50690 Windows SMB Information Disclosure Vulnerability Important
Windows SMB CVE-2026-58531 Windows SMB Elevation of Privilege Vulnerability Important
Windows SMB CVE-2026-54997 Windows SMB Information Disclosure Vulnerability Important
Windows SMB CVE-2026-49801 Windows SMB Information Disclosure Vulnerability Important
Windows SMB Server CVE-2026-56168 Windows SMB Server Denial of Service Vulnerability Important
Windows SMB Server CVE-2026-50360 Windows SMB Server Elevation of Privilege Vulnerability Important
Windows SMB Server Network Transport Driver (srvnet.sys) CVE-2026-57089 Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability Important
Windows Spaceport.sys CVE-2026-50298 Windows Spaceport.sys Elevation of Privilege Vulnerability Important
Windows Spaceport.sys CVE-2026-50333 Windows Spaceport.sys Elevation of Privilege Vulnerability Important
Windows StateRepository API CVE-2026-49170 Windows StateRepository API Server file Elevation of Privilege Vulnerability Important
Windows Storage CVE-2026-58526 Windows Storage Elevation of Privilege Vulnerability Important
Windows Storage Spaces Direct CVE-2026-50299 Windows Storage Spaces Direct Remote Code Execution Vulnerability Important
Windows Storage Spaces Direct CVE-2026-49168 Storage Spaces Direct Elevation of Privilege Vulnerability Important
Windows Subsystem for Linux CVE-2026-57973 Windows Subsystem for Linux (WSL2) Kernel Tampering Vulnerability Important
Windows Subsystem for Linux CVE-2026-57968 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability Important
Windows System CVE-2026-50418 Windows System Secure Feature Bypass Vulnerability Important
Windows TCP/IP CVE-2026-49177 Windows TCP/IP Information Disclosure Vulnerability Important
Windows TCP/IP CVE-2026-50306 Windows TCP/IP Elevation of Privilege Vulnerability Important
Windows TCP/IP CVE-2026-54999 Windows TCP/IP Remote Code Execution Vulnerability Critical
Windows TCP/IP CVE-2026-50307 Windows TCP/IP Elevation of Privilege Vulnerability Important
Windows Telephony Service CVE-2026-50669 Windows Telephony Server Elevation of Privilege Vulnerability Important
Windows Terminal CVE-2026-54124 Windows Terminal Remote Code Execution Vulnerability Important
Windows Trusted Runtime Interface Driver CVE-2026-50350 Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability Important
Windows Unified Consent System CVE-2026-50326 Windows Unified Consent System Elevation of Privilege Vulnerability Important
Windows Universal Disk Format File System Driver (UDFS) CVE-2026-49790 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Important
Windows Universal Disk Format File System Driver (UDFS) CVE-2026-50498 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Important
Windows USB Audio Class driver (usbaudio.sys) CVE-2026-58528 Windows USB Audio Class Driver Information Disclosure Vulnerability Important
Windows USB Audio Class driver (usbaudio.sys) CVE-2026-50453 Windows USB Audio Class Driver Information Disclosure Vulnerability Important
Windows USB Audio Class driver (usbaudio.sys) CVE-2026-49794 Windows USB Audio Class Driver Information Disclosure Vulnerability Important
Windows USB Driver CVE-2026-50321 Windows USB Driver Elevation of Privilege Vulnerability Important
Windows USB Hub Driver CVE-2026-50479 Windows USB Hub Driver Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-49802 Windows USB Print Driver Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-58543 Universal Print Management Service Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-49806 Windows USB Print Driver Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-54991 Windows USB Print Driver Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-55000 Windows USB Print Driver Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-50674 Windows USB Print Driver Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-54111 Universal Print Management Service Elevation of Privilege Vulnerability Important
Windows USB Print Driver CVE-2026-54996 Windows USB Print Driver Elevation of Privilege Vulnerability Important
Windows USB Video Driver CVE-2026-49804 Windows USB Video Driver Elevation of Privilege Vulnerability Important
Windows User Interface Core CVE-2026-50454 Windows User Interface Core Elevation of Privilege Vulnerability Important
Windows Virtual Filtering Platform (VFP) CVE-2026-50432 Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability Important
Windows VMSwitch CVE-2026-57092 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability Critical
Windows WalletService CVE-2026-49176 Windows WalletService Elevation of Privilege Vulnerability Important
Windows Web Proxy Auto-Discovery Protocol (WPAD) CVE-2026-49800 Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability Important
Windows Web Proxy Auto-Discovery Protocol (WPAD) CVE-2026-50480 Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability Important
Windows WebView CVE-2026-56173 Windows WebView Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-49805 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-57095 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-50416 Win32k Information Disclosure Vulnerability Important
Windows Win32K CVE-2026-56184 Win32k Information Disclosure Vulnerability Important
Windows Win32K CVE-2026-50489 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-54986 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-58632 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-50325 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-50297 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-54114 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-54107 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2026-54112 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Win32K - GRFX CVE-2026-56176 Windows Win32k Elevation of Privilege Vulnerability Important
Windows Wireless Networking CVE-2026-58628 Windows Wireless Network Manager Elevation of Privilege Vulnerability Important
Windows Wireless Wide Area Network Service CVE-2026-50450 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Windows Wireless Wide Area Network Service CVE-2026-50509 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability Important

CVE-2026-48561 - Microsoft Copilot Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-48561
MITRE
NVD
CVE Title: Microsoft Copilot Remote Code Execution Vulnerability
Description:

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest's security boundary to execute code on the Hyper-V host execution environment.


How could an attacker exploit this vulnerability?

An attacker could host a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot on a user’s device when the user visits the site. Because the affected component processes these requests without confirmation or origin checks, the prompts may be executed without the user’s awareness, potentially resulting in unintended actions within Copilot such as accessing or modifying data.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-48561
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Copilot for Android Release Notes (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft 365 Copilot for iOS Release Notes (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-48561 Ofek Levin Enclave with Enclave


CVE-2026-45488 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-45488
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

The attacker must correctly craft convincing spoofed UI chrome, time the full-screen entry, and rely on user perception. While the exploit triggers reliably after a gesture, successful deception depends on careful social engineering and realistic mimicking of browser UI.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would need to click on a specially crafted URL that could present a popup box requesting additional user input.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Moderate Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-45488
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Moderate Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-45488 Moch. Azril


Barath Stalin K


Hafiizh with https://www.linkedin.com/in/hafiizh-7aa6bb31/


FARISSAL B


Francesco Jeremy Topol with k4tedu


Alfaz Hossain with POTDF


xzyhellsing


CVE-2026-42982 - Windows Secure Kernel Mode Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-42982
MITRE
NVD
CVE Title: Windows Secure Kernel Mode Elevation of Privilege Vulnerability
Description:

Improper validation of consistency within input in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-42982
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5095051 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-42982 Arush Agarampur (Microsoft)


CVE-2026-47296 - Microsoft SQL Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47296
MITRE
NVD
CVE Title: Microsoft SQL Server Elevation of Privilege Vulnerability
Description:

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain sysadmin privileges.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47296
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) 5102340 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack 5102339 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (CU 31) 5102337 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (GDR) 5102338 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (CU 32) 5102335 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (GDR) 5102336 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (CU 25) 5101347 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (GDR) 5102334 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47296 Sharath Unni


CVE-2026-26145 - Microsoft Azure Synapse Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-26145
MITRE
NVD
CVE Title: Microsoft Azure Synapse Elevation of Privilege Vulnerability
Description:

Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network.


FAQ:

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-26145
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure Synapse Critical Elevation of Privilege None Base: 4.8
Temporal: 4.3
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-26145 Anonymous


CVE-2026-45499 - Azure OpenAI Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-45499
MITRE
NVD
CVE Title: Azure OpenAI Elevation of Privilege Vulnerability
Description:

Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate privileges over a network.


FAQ:

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-45499
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure Open AI Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-45499 brahim_nah


CVE-2026-57100 - Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57100
MITRE
NVD
CVE Title: Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability
Description:

Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.


FAQ:

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57100
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Entra Provisioning Service Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57100 Anonymous


CVE-2026-54998 - Microsoft Exchange Online Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54998
MITRE
NVD
CVE Title: Microsoft Exchange Online Elevation of Privilege Vulnerability
Description:

Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.


FAQ:

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54998
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Exchange Online Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54998 Stefan Wey with Alweys | (UMB AG)


CVE-2026-41106 - Microsoft 365 Copilot Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-41106
MITRE
NVD
CVE Title: Microsoft 365 Copilot Elevation of Privilege Vulnerability
Description:

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.


FAQ:

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-41106
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Copilot Critical Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-41106 Vaibhavi Kalgutkar with Microsoft


Dan Reimer with Microsoft


Henrique Pereira with Microsoft


CVE-2026-34349 - Windows Media Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-34349
MITRE
NVD
CVE Title: Windows Media Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-34349
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-34349 Anonymous


CVE-2026-34346 - Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-34346
MITRE
NVD
CVE Title: Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
Description:

Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-34346
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-34346 David Zhu with Microsoft


CVE-2026-42900 - Microsoft Windows App Store Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-42900
MITRE
NVD
CVE Title: Microsoft Windows App Store Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows App Store allows an unauthorized attacker to elevate privileges over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-42900
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-42900 Anonymous


CVE-2026-45489 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-45489
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:
Unknown
FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


1.1    2026-07-12T07:00:00    

CWE added. Informational change only.


Moderate Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-45489
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Moderate Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-45489 Ofek Levin Enclave with Enclave


CVE-2026-42975 - Windows Bluetooth Port Driver Remote Code Execution

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-42975
MITRE
NVD
CVE Title: Windows Bluetooth Port Driver Remote Code Execution
Description:

Heap-based buffer overflow in Windows Bluetooth Port Driver allows an unauthorized attacker to execute code over an adjacent network.


FAQ:

According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?

Exploiting this vulnerability requires an attacker to be within Bluetooth range of the target system.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of this vulnerability requires that a user enables Bluetooth and the device set to be discoverable, which is not the default configuration on Windows systems. Once discoverability is enabled, no further user interaction is required for exploitation.


How could an attacker exploit the vulnerability?

An attacker could attempt to exploit this vulnerability by sending a specially crafted Bluetooth configuration request to a nearby affected device. If successful, this could allow the attacker to run code on the device without needing user interaction or prior access.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-42975
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-42975 Philip Tsukerman with Palo Alto Networks


Christian Siegert - chrisbsd


Hyeon Park (`@_p0her_`) of Korea University


TwinkleStar03 with DEVCORE Internship Program


Hyeon Park (`@_p0her_`) of Korea University


CVE-2026-47300 - ASP.NET Core Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47300
MITRE
NVD
CVE Title: ASP.NET Core Elevation of Privilege Vulnerability
Description:

Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47300
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47300 Artur Stetsko


CVE-2026-47302 - .NET Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47302
MITRE
NVD
CVE Title: .NET Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47302
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Windows 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5087068 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5087068 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems 5087058 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems 5087058 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems 5092430 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems 5092430 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems 5092427 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems 5092427 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5087059 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5087059 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 5087057 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) 5087057 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 5087048 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5087048 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5087049 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5087049 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5087062 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5087062 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5087063 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5087063 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 5087067 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5087067 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5087069 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5087069 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47302 Levi Broderick with Microsoft


CVE-2026-47303 - ASP.NET Core Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47303
MITRE
NVD
CVE Title: ASP.NET Core Elevation of Privilege Vulnerability
Description:

Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47303
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47303 Pham Quang Minh


CVE-2026-42990 - SQL Server ODBC driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-42990
MITRE
NVD
CVE Title: SQL Server ODBC driver Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in SQL Server ODBC driver allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability?

An attacker would need specific conditions to be in place (i.e. particular protocol settings, or configurations, etc.) before an attack could succeed, which reduces the likelihood of widespread or opportunistic exploitation.


How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by setting up a malicious SQL Server and convincing a user or application to connect to it. When the connection is made, the malicious server could send specially crafted network data that triggers the flaw in the affected component, potentially causing the client application to behave unexpectedly or stop responding.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-42990
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5094042 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5094042 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5094041 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5094041 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-42990 Mathias Vorreiter Pedersen with Microsoft


CVE-2026-48572 - Windows App Package Installer Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-48572
MITRE
NVD
CVE Title: Windows App Package Installer Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows App Installer allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-48572
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-48572 Anonymous


CVE-2026-48571 - Windows App Package Installer Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-48571
MITRE
NVD
CVE Title: Windows App Package Installer Elevation of Privilege Vulnerability
Description:

Use after free in Windows App Installer allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-48571
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-48571 Anonymous


CVE-2026-49162 - Microsoft Brokering File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49162
MITRE
NVD
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49162
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49162 Grant Hume


CVE-2026-49164 - Windows Active Directory Domain Services Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49164
MITRE
NVD
CVE Title: Windows Active Directory Domain Services Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Active Directory Domain Services allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49164
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49164 Linzishan & Anemone & Zhiniang Peng (HUST)


CVE-2026-49165 - Microsoft Windows App Store Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49165
MITRE
NVD
CVE Title: Microsoft Windows App Store Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Microsoft Windows App Store allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49165
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49165 Anonymous


CVE-2026-49166 - Windows Print Configuration Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49166
MITRE
NVD
CVE Title: Windows Print Configuration Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Printer Drivers allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49166
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49166 Anonymous


CVE-2026-49167 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49167
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49167
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49167 hazard


CVE-2026-49168 - Storage Spaces Direct Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49168
MITRE
NVD
CVE Title: Storage Spaces Direct Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49168
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49168 Anonymous


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


CVE-2026-49169 - Windows DNS Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49169
MITRE
NVD
CVE Title: Windows DNS Server Remote Code Execution Vulnerability
Description:

Use after free in DNS Server allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49169
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49169 pwnky


CVE-2026-49170 - Windows StateRepository API Server file Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49170
MITRE
NVD
CVE Title: Windows StateRepository API Server file Elevation of Privilege Vulnerability
Description:

Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49170
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49170 pwnky


CVE-2026-49171 - Windows Speech Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49171
MITRE
NVD
CVE Title: Windows Speech Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49171
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49171 k0shl


CVE-2026-49176 - Windows WalletService Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49176
MITRE
NVD
CVE Title: Windows WalletService Elevation of Privilege Vulnerability
Description:

Improper privilege management in Windows WalletService allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49176
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49176 Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd. & Nguyn ng Nguyn (@MochiNishimiya) with STAR Labs SG Pte. Ltd.


CVE-2026-49175 - Windows DNS Client Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49175
MITRE
NVD
CVE Title: Windows DNS Client Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows DNS allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49175
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49175 Brandon Fisher


Brandon Fisher


pwn2addr


CVE-2026-49172 - Windows FTP Service Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49172
MITRE
NVD
CVE Title: Windows FTP Service Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows FTP Service allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by sending specially crafted FTP commands that exceed the expected length to a vulnerable FTP service. When the service processes and logs these oversized commands, it may write beyond the bounds of allocated memory, causing memory corruption that could lead to a service crash or allow code execution.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49172
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49172 Linzishan & Anemone& Zhiniang Peng (HUST)


CVE-2026-49173 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49173
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49173
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49173 Owen McCullough with Microsoft


CVE-2026-49174 - DNS Client Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49174
MITRE
NVD
CVE Title: DNS Client Tampering Vulnerability
Description:

Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49174
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49174 Sneha Ravichandran with Microsoft


CVE-2026-49177 - Windows TCP/IP Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49177
MITRE
NVD
CVE Title: Windows TCP/IP Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49177
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49177 Microsoft Red Team (MRT) with Microsoft


Microsoft


CVE-2026-49784 - Microsoft Windows App Store Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49784
MITRE
NVD
CVE Title: Microsoft Windows App Store Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Windows App Store allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could elevate from a low integrity level up to a medium integrity level.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49784
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49784 Anonymous


CVE-2026-50506 - OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50506
MITRE
NVD
CVE Title: OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50506
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft.AspNet.OData Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft.AspNetCore.OData Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50506 Anonymous


CVE-2026-47282 - GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47282
MITRE
NVD
CVE Title: GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability
Description:

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

This vulnerability could expose a sign-in access token for a user’s work account. If disclosed, that token could allow access to data and services that the user is authorized to use, potentially including sensitive organizational information.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47282
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Visual Studio Code Release Notes (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47282 Anonymous


CVE-2026-45496 - Visual Studio Code Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-45496
MITRE
NVD
CVE Title: Visual Studio Code Security Feature Bypass Vulnerability
Description:

Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An attacker who successfully exploited this vulnerability could bypass Visual Studio Code sensitive file protections.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-45496
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Visual Studio Code Release Notes (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-45496 Tarek Nakkouch


陳宥升 (CheN..)


CVE-2026-50663 - Game: Age of Empires II: Definitive Edition Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50663
MITRE
NVD
CVE Title: Game: Age of Empires II: Definitive Edition Remote Code Execution Vulnerability
Description:

Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit the vulnerability?

An attacker could create a specially crafted game scenario file and convince a user to open it, which allows the file to write content outside the intended game directory. By doing this, the attacker can place malicious files in unexpected locations, potentially enabling code to run on the affected system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50663
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Age of Empires II: Definitive Edition Game Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50663 Rick de Jager


CVE-2026-54983 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54983
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Stack-based buffer overflow in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54983
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54983 Anonymous


CVE-2026-50695 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50695
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50695
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50695 Anonymous


CVE-2026-54129 - Windows Hyper-V Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54129
MITRE
NVD
CVE Title: Windows Hyper-V Elevation of Privilege Vulnerability
Description:

Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54129
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54129 Nicola Stauffer working with TrendAI Zero Day Initiative


CVE-2026-54989 - Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54989
MITRE
NVD
CVE Title: Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability
Description:

Use after free in Quality Windows Audio/Video Experience (QWAVE) service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54989
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54989 Marin Duroyon


CVE-2026-54987 - Windows Overlay Filter Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54987
MITRE
NVD
CVE Title: Windows Overlay Filter Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Overlay Filter allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54987
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54987 Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd.


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


CVE-2026-50696 - Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50696
MITRE
NVD
CVE Title: Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
Description:

Heap-based buffer overflow in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50696
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50696

Anonymous


CVE-2026-54990 - Remote Desktop Client Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54990
MITRE
NVD
CVE Title: Remote Desktop Client Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by persuading a user to connect to a malicious Remote Desktop Protocol (RDP) server using a vulnerable RDP client. The malicious server could send specially crafted responses that trigger memory corruption on the client system, potentially allowing arbitrary code execution in the context of the logged-on user. Successful exploitation requires user interaction to establish the RDP connection.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54990
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54990 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


pwn2addr


Thanatos Tian & PB18 & @2st__ with Diffract


CVE-2026-50697 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50697
MITRE
NVD
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50697
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50697 sweetchip


dd484a5a34dd0f6d5330345ffe642dfc


CVE-2026-55000 - Windows USB Print Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55000
MITRE
NVD
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55000
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55000 Nafiez with NLab Security


Seung Chan Kim


AIフィジカルインターフェイス二号機


AIフィジカルインターフェイス二号機


CVE-2026-54111 - Universal Print Management Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54111
MITRE
NVD
CVE Title: Universal Print Management Service Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Kernel memory read - unintentional read access to memory contents in kernel space from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54111
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54111 AIフィジカルインターフェイス二号機


CVE-2026-54991 - Windows USB Print Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54991
MITRE
NVD
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54991
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54991 AIフィジカルインターフェイス二号機


CVE-2026-54132 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54132
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Kernel allows an unauthorized attacker to elevate privileges with a physical attack.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited the vulnerability could execute code in the kernel.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54132
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54132 pwn2addr


CVE-2026-54107 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54107
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54107
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54107 Pravin Choudhary


CVE-2026-54986 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54986
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54986
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54986 YuilMuil(Yoon Jung Hyun)


CVE-2026-54993 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54993
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54993
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54993 Seung Chan Kim


CVE-2026-55001 - Active Directory Domain Services Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55001
MITRE
NVD
CVE Title: Active Directory Domain Services Elevation of Privilege Vulnerability
Description:

Improper certificate validation in Windows Active Directory allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55001
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55001 Anonymous


CVE-2026-54112 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54112
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54112
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54112 LC with VGCO - Vietnam Germany Connection


CVE-2026-55004 - Windows Print Configuration Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55004
MITRE
NVD
CVE Title: Windows Print Configuration Elevation of Privilege Vulnerability
Description:

Double free in Microsoft Printer Drivers allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55004
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55004 Q4n with Kunlun Lab and Zhiniang Peng with HUST


Q4n with Kunlun Lab and Zhiniang Peng with HUST


CVE-2026-54992 - Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54992
MITRE
NVD
CVE Title: Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Message Queuing Queue Manager allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54992
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54992

Seung Chan Kim


CVE-2026-54109 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54109
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54109
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54109 R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-54982 - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54982
MITRE
NVD
CVE Title: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
Description:

Integer underflow (wrap or wraparound) in Reliable Multicast Transport Driver (RMCAST) allows an unauthorized attacker to execute code over an adjacent network.


FAQ:

According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54982
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54982

Seung Chan Kim


haowei yan


haowei yan


CVE-2026-54114 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54114
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54114
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54114 YuilMuil(Yoon Jung Hyun)


CVE-2026-54996 - Windows USB Print Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54996
MITRE
NVD
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54996
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54996 AIフィジカルインターフェイス二号機


CVE-2026-54119 - Windows Active Directory Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54119
MITRE
NVD
CVE Title: Windows Active Directory Denial of Service Vulnerability
Description:

Loop with unreachable exit condition ('infinite loop') in Windows Active Directory allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54119
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54119 Anonymous


CVE-2026-54997 - Windows SMB Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54997
MITRE
NVD
CVE Title: Windows SMB Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54997
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54997 Anonymous


CVE-2026-54999 - Windows TCP/IP Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54999
MITRE
NVD
CVE Title: Windows TCP/IP Remote Code Execution Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over an adjacent network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54999
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54999 Owen McCullough with MSRC V&M


CVE-2026-55003 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55003
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?

An unauthorized attacker must wait for a user to initiate a connection.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55003
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55003 Anonymous


CVE-2026-54995 - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54995
MITRE
NVD
CVE Title: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
Description:

Use after free in Reliable Multicast Transport Driver (RMCAST) allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54995
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54995

CVE-2026-54122 - Windows GDI+ Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54122
MITRE
NVD
CVE Title: Windows GDI+ Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code locally.


FAQ:

How could an attacker exploit this vulnerability?

Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message. In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim's machine. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk (UI:N).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54122
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54122 Seung Chan Kim


CVE-2026-50338 - Azure Spring Apps Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50338
MITRE
NVD
CVE Title: Azure Spring Apps Elevation of Privilege Vulnerability
Description:

Improper authentication in Azure Spring Apps allows an authorized attacker to elevate privileges over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain ELEVATED privileges, which may allow them to perform actions beyond their original permissions.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50338
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure Spring Apps Release Notes (Security Update) Important Elevation of Privilege None Base: 8.2
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50338 Lukas Johannes Moeller


CVE-2026-55011 - Microsoft Defender Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55011
MITRE
NVD
CVE Title: Microsoft Defender Remote Code Execution Vulnerability
Description:

Integer underflow (wrap or wraparound) in Microsoft Defender allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


References Identification
Last version of the Microsoft Malware Protection Engine affected by this vulnerability 1.1.26050.11
First version of the Microsoft Malware Protection Engine with this vulnerability addressed 1.1.26060.3008

See Manage Updates Baselines Microsoft Defender Antivirus for more information.

Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?

Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.

Why is no action required to install this update?

In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.

How often are the Microsoft Malware Protection Engine and malware definitions updated?

Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.

Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.

What is the Microsoft Malware Protection Engine?

The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.

Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default?

Defender runs on all supported version of Windows.

Are there other products that use the Microsoft Malware Protection Engine?

Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.

Does this update contain any additional security-related changes to functionality?

Yes.  In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55011
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Malware Protection Engine Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55011 Anonymous


CVE-2026-55012 - Microsoft Defender Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55012
MITRE
NVD
CVE Title: Microsoft Defender Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Microsoft Defender allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


References Identification
Last version of the Microsoft Malware Protection Engine affected by this vulnerability 1.1.26050.11
First version of the Microsoft Malware Protection Engine with this vulnerability addressed 1.1.26060.3008

See Manage Updates Baselines Microsoft Defender Antivirus for more information.

Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?

Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.

Why is no action required to install this update?

In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.

How often are the Microsoft Malware Protection Engine and malware definitions updated?

Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.

Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.

What is the Microsoft Malware Protection Engine?

The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.

Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default?

Defender runs on all supported version of Windows.

Are there other products that use the Microsoft Malware Protection Engine?

Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.

Does this update contain any additional security-related changes to functionality?

Yes.  In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55012
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Malware Protection Engine Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55012 Anonymous


CVE-2026-50524 - .NET Framework Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50524
MITRE
NVD
CVE Title: .NET Framework Denial of Service Vulnerability
Description:

Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50524
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50524 41ae55e9310ff27fa6f26af4727e5590


CVE-2026-54117 - Microsoft SQL Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54117
MITRE
NVD
CVE Title: Microsoft SQL Server Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin.


According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54117
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54117 Piotr Bazydło (@chudypb)


CVE-2026-54118 - Microsoft SQL Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54118
MITRE
NVD
CVE Title: Microsoft SQL Server Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


How could an attacker exploit this vulnerability?

An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54118
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) 5102340 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack 5102339 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (CU 31) 5102337 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (GDR) 5102338 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (CU 32) 5102335 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (GDR) 5102336 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (CU 25) 5101347 (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SQL Server 2022 for x64-based Systems (GDR) 5102334 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54118 Piotr Bazydło (@chudypb)


CVE-2026-55002 - Microsoft SQL Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55002
MITRE
NVD
CVE Title: Microsoft SQL Server Elevation of Privilege Vulnerability
Description:

External control of file name or path in SQL Server allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain sysadmin privileges.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55002
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) 5102340 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack 5102339 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (CU 31) 5102337 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (GDR) 5102338 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (CU 32) 5102335 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (GDR) 5102336 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (CU 25) 5101347 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (GDR) 5102334 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Unknown Unknown None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55002 Fabiano Amorim with Pythian


CVE-2026-55144 - Windows Cryptography API: Next Generation (CNG) Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55144
MITRE
NVD
CVE Title: Windows Cryptography API: Next Generation (CNG) Tampering Vulnerability
Description:

Missing cryptographic step in Windows CryptoAPI allows an authorized attacker to perform tampering locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55144
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55144 Samuel Lee with Microsoft


Samuel Lee with Microsoft


CVE-2026-50520 - Visual Studio Code Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50520
MITRE
NVD
CVE Title: Visual Studio Code Remote Code Execution Vulnerability
Description:

Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50520
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Visual Studio Code Release Notes (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50520 Daniel Santos with Microsoft


CVE-2026-54108 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54108
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54108
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54108 Piotr Bazydło (@chudypb)


41ae55e9310ff27fa6f26af4727e5590


CVE-2026-50675 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50675
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50675
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50675 Anonymous


CVE-2026-50678 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50678
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure,
Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50678
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50678 f4 & Zhiniang Peng with HUST


CVE-2026-54988 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54988
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metrics, exploitation results in a small loss of confidentiality (C:L), no integrity impact (I:N), and high availability impact (A:H). What does this mean?

This means that an attacker could potentially see a small amount of information they should not have access to, but they cannot change data or system settings. The primary impact is that the affected service could stop working or crash, which may temporarily disrupt normal system operations.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54988
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54988 Haein Lee with KAIST Hacking Lab


CVE-2026-55899 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55899
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55899
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55899 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55945 - Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55945
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Edge (Chromium-based) allows an authorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Moderate Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55945
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Moderate Information Disclosure None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55945 Gal Weizman (weizmangal@gmail.com / https://x.com/weizmangal)


CVE-2026-55948 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55948
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55948
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55948 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-56155 - Active Directory Federation Services Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56155
MITRE
NVD
CVE Title: Active Directory Federation Services Elevation of Privilege Vulnerability
Description:

Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Detected Not Found Not Applicable No Yes

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56155
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56155 Scott Clark (DART) with Microsoft


Jeremy Kingston (DART) with Microsoft


CVE-2026-56164 - Microsoft SharePoint Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56164
MITRE
NVD
CVE Title: Microsoft SharePoint Server Elevation of Privilege Vulnerability
Description:

Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:

Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Moderate Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Detected Not Found Not Applicable No Yes

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56164
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Moderate Elevation of Privilege None Base: 5.3
Temporal: 4.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Moderate Elevation of Privilege None Base: 5.3
Temporal: 4.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Moderate Elevation of Privilege None Base: 5.3
Temporal: 4.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56164 Anonymous


Genwei Jiang with Google Cloud, FLARE OTF


Jayson Frost with Mandiant Incident Response


CVE-2026-56169 - Windows Admin Center Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56169
MITRE
NVD
CVE Title: Windows Admin Center Elevation of Privilege Vulnerability
Description:

Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56169
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Admin Center Release Notes (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56169 Howard McGreehan with MSRC V&M


CVE-2026-56170 - ASP.NET Core Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56170
MITRE
NVD
CVE Title: ASP.NET Core Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56170
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56170 Ky0toFu


CVE-2026-50694 - Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50694
MITRE
NVD
CVE Title: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Description:

Use after free in Windows Secure Socket Tunneling Protocol (SSTP) allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit the vulnerability?

To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50694
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50694

CVE-2026-54127 - Windows Hyper-V Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54127
MITRE
NVD
CVE Title: Windows Hyper-V Elevation of Privilege Vulnerability
Description:

Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54127
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54127 MORSE with Microsoft


CVE-2026-56193 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56193
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56193
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56193 Haein Lee with KAIST Hacking Lab


CVE-2026-56185 - Windows Admin Center Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56185
MITRE
NVD
CVE Title: Windows Admin Center Information Disclosure Vulnerability
Description:

Improper authentication in Windows Admin Center allows an authorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56185
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Admin Center Release Notes (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56185 Howard McGreehan with MSRC V&M


CVE-2026-57097 - Microsoft XML Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57097
MITRE
NVD
CVE Title: Microsoft XML Security Feature Bypass Vulnerability
Description:

Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57097
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 6.4
Temporal: 5.6
Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57097 Ken Pyle with Independent Academic & Responsible Cybersecurity Research


CVE-2026-57107 - Windows Admin Center Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57107
MITRE
NVD
CVE Title: Windows Admin Center Elevation of Privilege Vulnerability
Description:

Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57107
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Admin Center Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57107 sho odagiri with GMO Cybersecurity by Ierae inc


Anonymous


CVE-2026-57969 - Azure CycleCloud Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57969
MITRE
NVD
CVE Title: Azure CycleCloud Elevation of Privilege Vulnerability
Description:

Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.


FAQ:

How could an attacker exploit this vulnerability?

An authenticated user who has the Cluster Creator role could exploit this vulnerability by using a cluster creation operation in a way that bypasses an authorization check. By doing so, the attacker could overwrite another user’s cluster, including a cluster owned by an administrator, and take ownership of it.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain full control of the affected cluster that was overwritten and taken over. This could allow the attacker to run unauthorized code, remove or alter credentials associated with the cluster, and perform actions with the same level of access available within that cluster.


What do I need to do to protect myself?

Customers should update to Azure CycleCloud 8.9.1 (Build 8.9.1-3806), which includes the fix for this vulnerability. New installations and upgrades to an existing CycleCloud deployment will receive the updated packages containing the fix.

For installation and upgrade guidance, see:

Updated packages are available through Microsoft's package repositories and the Azure Marketplace image for CycleCloud 8.9.1.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57969
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure CycleCloud 8.9.1 Release Notes (Security Update - Marketplace Image)
Release Notes (Security Update - PMC DEB)
Release Notes (Security Update - PMC RPM)
Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57969 Asaf Cohen with XBreach.ai


XBREACH.AI TEAM with https://xbreach.ai/


XBREACH.AI TEAM with https://xbreach.ai/


CVE-2026-57976 - Windows Active Directory Domain Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57976
MITRE
NVD
CVE Title: Windows Active Directory Domain Services Denial of Service Vulnerability
Description:

Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57976
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57976 Ravi Kumar


CVE-2026-57979 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57979
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57979
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57979 Sanil Singh Tomar with Microsoft


CVE-2026-57981 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57981
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


How could an attacker exploit this vulnerability?

An authenticated attacker can run arbitrary SQL queries as the SMS service (with sysadmin privileges). Since the injection happens during a user permission check, even users with read-only RBAC roles can exploit it. Any local SMS Admins group member on the SMS Provider host can also take advantage of this vulnerability.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57981
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57981 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57983 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57983
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Description:

Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An unauthenticated attacker is able to bypass the expected user access.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57983
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Security Feature Bypass None Base: 8.7
Temporal: 7.6
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57983 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57984 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57984
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57984
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57984 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57985 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57985
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57985
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.6
Temporal: 6.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57985 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57986 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57986
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57986
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57986 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57987 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57987
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57987
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57987 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57988 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57988
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57988
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57988 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-55014 - Windows Remote Help Defense Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55014
MITRE
NVD
CVE Title: Windows Remote Help Defense Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Remote Help Defense allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain the privileges of the compromised user.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55014
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Remote Help Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55014 Nick Agathos with Commonwealth Bank of Australia


CVE-2026-57991 - Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57991
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description:

Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57991
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Information Disclosure None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57991 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57992 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57992
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57992
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57992 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58276 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58276
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58276
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58276 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58278 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58278
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58278
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58278 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58279 - Azure CycleCloud Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58279
MITRE
NVD
CVE Title: Azure CycleCloud Elevation of Privilege Vulnerability
Description:

Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.


FAQ:

What do I need to do to protect myself?

Customers should update to Azure CycleCloud 8.9.1 (Build 8.9.1-3806), which includes the fix for this vulnerability. New installations and upgrades to an existing CycleCloud deployment will receive the updated packages containing the fix.

For installation and upgrade guidance, see:

Updated packages are available through Microsoft's package repositories and the Azure Marketplace image for CycleCloud 8.9.1.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

A low-privilege attacker who successfully exploits the vulnerability could potentially elevate their privileges to perform unauthorized modification of another user's cluster.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and availability (A:L), but could lead to major loss of integrity (I:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could gain the ability to modify another user's cluster without authorization. It does not lead to information disclosure or service downtime.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58279
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure CycleCloud 8.9.1 Release Notes (Security Update - PMC RPM)
Release Notes (Security Update - PMC DEB)
Release Notes (Security Update - Marketplace Image)
Important Elevation of Privilege None Base: 6.5
Temporal: 5.9
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58279 XBREACH.AI TEAM with https://xbreach.ai/


CVE-2026-58526 - Windows Storage Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58526
MITRE
NVD
CVE Title: Windows Storage Elevation of Privilege Vulnerability
Description:

Use after free in Windows Storage allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58526
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58526 Anonymous


CVE-2026-58595 - Microsoft Bing App for IOS Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58595
MITRE
NVD
CVE Title: Microsoft Bing App for IOS Spoofing Vulnerability
Description:

Improper restriction of rendered ui layers or frames in Microsoft Bing App for IOS allows an unauthorized attacker to perform spoofing over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58595
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Bing Search for iOS Release Notes (Security Update) Important Spoofing None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58595 Azza Tegar Naufal Ataullah


CVE-2026-50522 - Microsoft SharePoint Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50522
MITRE
NVD
CVE Title: Microsoft SharePoint Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.


FAQ:

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


How could an attacker exploit the vulnerability?

In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.


According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50522
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50522 splitline (@_splitline_) from DEVCORE Research Team working withTrendAI Zero Day Initiative


CVE-2026-56645 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56645
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56645
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56645 sangnt (@gnas0x0018) with Viettel Cyber Security


CVE-2026-56646 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56646
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56646
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56646 Orange Tsai (@orange_8361) with DEVCORE


CVE-2026-13775 - Chromium: CVE-2026-13775 Use after free in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13775
MITRE
NVD
CVE Title: Chromium: CVE-2026-13775 Use after free in GPU
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13775
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13775 None

CVE-2026-13776 - Chromium: CVE-2026-13776 Type Confusion in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13776
MITRE
NVD
CVE Title: Chromium: CVE-2026-13776 Type Confusion in Dawn
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13776
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13776 None

CVE-2026-13779 - Chromium: CVE-2026-13779 Use after free in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13779
MITRE
NVD
CVE Title: Chromium: CVE-2026-13779 Use after free in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:42    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13779
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13779 None

CVE-2026-13780 - Chromium: CVE-2026-13780 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13780
MITRE
NVD
CVE Title: Chromium: CVE-2026-13780 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13780
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13780 None

CVE-2026-13781 - Chromium: CVE-2026-13781 Insufficient validation of untrusted input in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13781
MITRE
NVD
CVE Title: Chromium: CVE-2026-13781 Insufficient validation of untrusted input in Skia
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13781
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13781 None

CVE-2026-13782 - Chromium: CVE-2026-13782 Use after free in Browser

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13782
MITRE
NVD
CVE Title: Chromium: CVE-2026-13782 Use after free in Browser
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:45    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13782
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13782 None

CVE-2026-13783 - Chromium: CVE-2026-13783 Use after free in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13783
MITRE
NVD
CVE Title: Chromium: CVE-2026-13783 Use after free in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13783
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13783 None

CVE-2026-13784 - Chromium: CVE-2026-13784 Use after free in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13784
MITRE
NVD
CVE Title: Chromium: CVE-2026-13784 Use after free in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13784
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13784 None

CVE-2026-13786 - Chromium: CVE-2026-13786 Use after free in Ozone

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13786
MITRE
NVD
CVE Title: Chromium: CVE-2026-13786 Use after free in Ozone
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13786
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13786 None

CVE-2026-13787 - Chromium: CVE-2026-13787 Use after free in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13787
MITRE
NVD
CVE Title: Chromium: CVE-2026-13787 Use after free in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13787
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13787 None

CVE-2026-13790 - Chromium: CVE-2026-13790 Side-channel information leakage in Scroll

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13790
MITRE
NVD
CVE Title: Chromium: CVE-2026-13790 Side-channel information leakage in Scroll
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13790
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13790 None

CVE-2026-13793 - Chromium: CVE-2026-13793 Insufficient policy enforcement in SVG

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13793
MITRE
NVD
CVE Title: Chromium: CVE-2026-13793 Insufficient policy enforcement in SVG
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13793
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13793 None

CVE-2026-13794 - Chromium: CVE-2026-13794 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13794
MITRE
NVD
CVE Title: Chromium: CVE-2026-13794 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13794
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13794 None

CVE-2026-13797 - Chromium: CVE-2026-13797 Insufficient validation of untrusted input in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13797
MITRE
NVD
CVE Title: Chromium: CVE-2026-13797 Insufficient validation of untrusted input in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13797
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13797 None

CVE-2026-13798 - Chromium: CVE-2026-13798 Heap buffer overflow in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13798
MITRE
NVD
CVE Title: Chromium: CVE-2026-13798 Heap buffer overflow in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13798
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13798 None

CVE-2026-13801 - Chromium: CVE-2026-13801 Integer overflow in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13801
MITRE
NVD
CVE Title: Chromium: CVE-2026-13801 Integer overflow in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13801
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13801 None

CVE-2026-13802 - Chromium: CVE-2026-13802 Use after free in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13802
MITRE
NVD
CVE Title: Chromium: CVE-2026-13802 Use after free in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13802
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13802 None

CVE-2026-13803 - Chromium: CVE-2026-13803 Type Confusion in Chrome Tabs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13803
MITRE
NVD
CVE Title: Chromium: CVE-2026-13803 Type Confusion in Chrome Tabs
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13803
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13803 None

CVE-2026-13804 - Chromium: CVE-2026-13804 Use after free in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13804
MITRE
NVD
CVE Title: Chromium: CVE-2026-13804 Use after free in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:06    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13804
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13804 None

CVE-2026-13848 - Chromium: CVE-2026-13848 Use after free in Forms

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13848
MITRE
NVD
CVE Title: Chromium: CVE-2026-13848 Use after free in Forms
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13848
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13848 None

CVE-2026-13849 - Chromium: CVE-2026-13849 Insufficient validation of untrusted input in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13849
MITRE
NVD
CVE Title: Chromium: CVE-2026-13849 Insufficient validation of untrusted input in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13849
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13849 None

CVE-2026-13853 - Chromium: CVE-2026-13853 Use after free in Journeys

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13853
MITRE
NVD
CVE Title: Chromium: CVE-2026-13853 Use after free in Journeys
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:42    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13853
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13853 None

CVE-2026-13855 - Chromium: CVE-2026-13855 Use after free in Ozone

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13855
MITRE
NVD
CVE Title: Chromium: CVE-2026-13855 Use after free in Ozone
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13855
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13855 None

CVE-2026-13857 - Chromium: CVE-2026-13857 Inappropriate implementation in Geometry

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13857
MITRE
NVD
CVE Title: Chromium: CVE-2026-13857 Inappropriate implementation in Geometry
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13857
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13857 None

CVE-2026-13858 - Chromium: CVE-2026-13858 Out of bounds read in FFmpeg

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13858
MITRE
NVD
CVE Title: Chromium: CVE-2026-13858 Out of bounds read in FFmpeg
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13858
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13858 None

CVE-2026-13859 - Chromium: CVE-2026-13859 Inappropriate implementation in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13859
MITRE
NVD
CVE Title: Chromium: CVE-2026-13859 Inappropriate implementation in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13859
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13859 None

CVE-2026-13854 - Chromium: CVE-2026-13854 Use after free in Ozone

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13854
MITRE
NVD
CVE Title: Chromium: CVE-2026-13854 Use after free in Ozone
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13854
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13854 None

CVE-2026-13860 - Chromium: CVE-2026-13860 Incorrect security UI in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13860
MITRE
NVD
CVE Title: Chromium: CVE-2026-13860 Incorrect security UI in Autofill
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13860
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13860 None

CVE-2026-13864 - Chromium: CVE-2026-13864 Insufficient policy enforcement in WebHID

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13864
MITRE
NVD
CVE Title: Chromium: CVE-2026-13864 Insufficient policy enforcement in WebHID
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13864
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13864 None

CVE-2026-13861 - Chromium: CVE-2026-13861 Use after free in Core

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13861
MITRE
NVD
CVE Title: Chromium: CVE-2026-13861 Use after free in Core
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13861
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13861 None

CVE-2026-13865 - Chromium: CVE-2026-13865 Insufficient validation of untrusted input in Enterprise

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13865
MITRE
NVD
CVE Title: Chromium: CVE-2026-13865 Insufficient validation of untrusted input in Enterprise
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13865
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13865 None

CVE-2026-13867 - Chromium: CVE-2026-13867 Inappropriate implementation in Geolocation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13867
MITRE
NVD
CVE Title: Chromium: CVE-2026-13867 Inappropriate implementation in Geolocation
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:34    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13867
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13867 None

CVE-2026-13869 - Chromium: CVE-2026-13869 Use after free in Device

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13869
MITRE
NVD
CVE Title: Chromium: CVE-2026-13869 Use after free in Device
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13869
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13869 None

CVE-2026-13871 - Chromium: CVE-2026-13871 Insufficient data validation in GuestView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13871
MITRE
NVD
CVE Title: Chromium: CVE-2026-13871 Insufficient data validation in GuestView
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:56    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13871
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13871 None

CVE-2026-13873 - Chromium: CVE-2026-13873 Out of bounds memory access in Layout

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13873
MITRE
NVD
CVE Title: Chromium: CVE-2026-13873 Out of bounds memory access in Layout
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13873
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13873 None

CVE-2026-13874 - Chromium: CVE-2026-13874 Inappropriate implementation in DataTransfer

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13874
MITRE
NVD
CVE Title: Chromium: CVE-2026-13874 Inappropriate implementation in DataTransfer
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13874
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13874 None

CVE-2026-13876 - Chromium: CVE-2026-13876 Inappropriate implementation in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13876
MITRE
NVD
CVE Title: Chromium: CVE-2026-13876 Inappropriate implementation in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13876
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13876 None

CVE-2026-13877 - Chromium: CVE-2026-13877 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13877
MITRE
NVD
CVE Title: Chromium: CVE-2026-13877 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:02    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13877
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13877 None

CVE-2026-13875 - Chromium: CVE-2026-13875 Insufficient validation of untrusted input in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13875
MITRE
NVD
CVE Title: Chromium: CVE-2026-13875 Insufficient validation of untrusted input in GPU
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13875
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13875 None

CVE-2026-13879 - Chromium: CVE-2026-13879 Use after free in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13879
MITRE
NVD
CVE Title: Chromium: CVE-2026-13879 Use after free in Bluetooth
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13879
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13879 None

CVE-2026-13882 - Chromium: CVE-2026-13882 Inappropriate implementation in USB

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13882
MITRE
NVD
CVE Title: Chromium: CVE-2026-13882 Inappropriate implementation in USB
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:06    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13882
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13882 None

CVE-2026-13881 - Chromium: CVE-2026-13881 Insufficient data validation in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13881
MITRE
NVD
CVE Title: Chromium: CVE-2026-13881 Insufficient data validation in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13881
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13881 None

CVE-2026-13883 - Chromium: CVE-2026-13883 Type Confusion in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13883
MITRE
NVD
CVE Title: Chromium: CVE-2026-13883 Type Confusion in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13883
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13883 None

CVE-2026-13886 - Chromium: CVE-2026-13886 Policy bypass in Isolated Web Apps

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13886
MITRE
NVD
CVE Title: Chromium: CVE-2026-13886 Policy bypass in Isolated Web Apps
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13886
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13886 None

CVE-2026-13888 - Chromium: CVE-2026-13888 Use after free in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13888
MITRE
NVD
CVE Title: Chromium: CVE-2026-13888 Use after free in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:11    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13888
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13888 None

CVE-2026-13884 - Chromium: CVE-2026-13884 Heap buffer overflow in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13884
MITRE
NVD
CVE Title: Chromium: CVE-2026-13884 Heap buffer overflow in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:08    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13884
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13884 None

CVE-2026-13890 - Chromium: CVE-2026-13890 Out of bounds read in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13890
MITRE
NVD
CVE Title: Chromium: CVE-2026-13890 Out of bounds read in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13890
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13890 None

CVE-2026-13891 - Chromium: CVE-2026-13891 Insufficient validation of untrusted input in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13891
MITRE
NVD
CVE Title: Chromium: CVE-2026-13891 Insufficient validation of untrusted input in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13891
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13891 None

CVE-2026-13893 - Chromium: CVE-2026-13893 Insufficient validation of untrusted input in WebUI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13893
MITRE
NVD
CVE Title: Chromium: CVE-2026-13893 Insufficient validation of untrusted input in WebUI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13893
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13893 None

CVE-2026-13894 - Chromium: CVE-2026-13894 Insufficient policy enforcement in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13894
MITRE
NVD
CVE Title: Chromium: CVE-2026-13894 Insufficient policy enforcement in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13894
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13894 None

CVE-2026-13895 - Chromium: CVE-2026-13895 Inappropriate implementation in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13895
MITRE
NVD
CVE Title: Chromium: CVE-2026-13895 Inappropriate implementation in Autofill
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13895
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13895 None

CVE-2026-13896 - Chromium: CVE-2026-13896 Insufficient policy enforcement in Glic

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13896
MITRE
NVD
CVE Title: Chromium: CVE-2026-13896 Insufficient policy enforcement in Glic
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13896
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13896 None

CVE-2026-13897 - Chromium: CVE-2026-13897 Insufficient policy enforcement in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13897
MITRE
NVD
CVE Title: Chromium: CVE-2026-13897 Insufficient policy enforcement in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:20    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13897
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13897 None

CVE-2026-13898 - Chromium: CVE-2026-13898 Use after free in Cast Receiver

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13898
MITRE
NVD
CVE Title: Chromium: CVE-2026-13898 Use after free in Cast Receiver
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:21    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13898
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13898 None

CVE-2026-13901 - Chromium: CVE-2026-13901 Insufficient validation of untrusted input in Serial

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13901
MITRE
NVD
CVE Title: Chromium: CVE-2026-13901 Insufficient validation of untrusted input in Serial
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:25    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13901
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13901 None

CVE-2026-13900 - Chromium: CVE-2026-13900 Insufficient validation of untrusted input in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13900
MITRE
NVD
CVE Title: Chromium: CVE-2026-13900 Insufficient validation of untrusted input in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13900
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13900 None

CVE-2026-13899 - Chromium: CVE-2026-13899 Use after free in HTML

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13899
MITRE
NVD
CVE Title: Chromium: CVE-2026-13899 Use after free in HTML
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13899
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13899 None

CVE-2026-13903 - Chromium: CVE-2026-13903 Insufficient policy enforcement in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13903
MITRE
NVD
CVE Title: Chromium: CVE-2026-13903 Insufficient policy enforcement in Bluetooth
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13903
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13903 None

CVE-2026-13906 - Chromium: CVE-2026-13906 Out of bounds read in Codecs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13906
MITRE
NVD
CVE Title: Chromium: CVE-2026-13906 Out of bounds read in Codecs
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13906
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13906 None

CVE-2026-13909 - Chromium: CVE-2026-13909 Insufficient policy enforcement in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13909
MITRE
NVD
CVE Title: Chromium: CVE-2026-13909 Insufficient policy enforcement in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13909
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13909 None

CVE-2026-13911 - Chromium: CVE-2026-13911 Insufficient data validation in Spellcheck

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13911
MITRE
NVD
CVE Title: Chromium: CVE-2026-13911 Insufficient data validation in Spellcheck
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13911
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13911 None

CVE-2026-13921 - Chromium: CVE-2026-13921 Insufficient validation of untrusted input in DeviceBoundSessionCredentials

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13921
MITRE
NVD
CVE Title: Chromium: CVE-2026-13921 Insufficient validation of untrusted input in DeviceBoundSessionCredentials
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13921
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13921 None

CVE-2026-13922 - Chromium: CVE-2026-13922 Side-channel information leakage in Paint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13922
MITRE
NVD
CVE Title: Chromium: CVE-2026-13922 Side-channel information leakage in Paint
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13922
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13922 None

CVE-2026-13920 - Chromium: CVE-2026-13920 Insufficient validation of untrusted input in Media

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13920
MITRE
NVD
CVE Title: Chromium: CVE-2026-13920 Insufficient validation of untrusted input in Media
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13920
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13920 None

CVE-2026-13919 - Chromium: CVE-2026-13919 Insufficient data validation in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13919
MITRE
NVD
CVE Title: Chromium: CVE-2026-13919 Insufficient data validation in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:32    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13919
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13919 None

CVE-2026-13925 - Chromium: CVE-2026-13925 Inappropriate implementation in Downloads

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13925
MITRE
NVD
CVE Title: Chromium: CVE-2026-13925 Inappropriate implementation in Downloads
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13925
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13925 None

CVE-2026-13928 - Chromium: CVE-2026-13928 Insufficient validation of untrusted input in Enterprise

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13928
MITRE
NVD
CVE Title: Chromium: CVE-2026-13928 Insufficient validation of untrusted input in Enterprise
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13928
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13928 None

CVE-2026-13931 - Chromium: CVE-2026-13931 Inappropriate implementation in Media

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13931
MITRE
NVD
CVE Title: Chromium: CVE-2026-13931 Inappropriate implementation in Media
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13931
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13931 None

CVE-2026-13934 - Chromium: CVE-2026-13934 Insufficient validation of untrusted input in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13934
MITRE
NVD
CVE Title: Chromium: CVE-2026-13934 Insufficient validation of untrusted input in Dawn
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13934
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13934 None

CVE-2026-13933 - Chromium: CVE-2026-13933 Insufficient policy enforcement in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13933
MITRE
NVD
CVE Title: Chromium: CVE-2026-13933 Insufficient policy enforcement in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:42    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13933
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13933 None

CVE-2026-13930 - Chromium: CVE-2026-13930 Insufficient policy enforcement in Actor

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13930
MITRE
NVD
CVE Title: Chromium: CVE-2026-13930 Insufficient policy enforcement in Actor
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13930
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13930 None

CVE-2026-13935 - Chromium: CVE-2026-13935 Side-channel information leakage in ComputePressure

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13935
MITRE
NVD
CVE Title: Chromium: CVE-2026-13935 Side-channel information leakage in ComputePressure
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:45    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13935
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13935 None

CVE-2026-13937 - Chromium: CVE-2026-13937 Insufficient policy enforcement in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13937
MITRE
NVD
CVE Title: Chromium: CVE-2026-13937 Insufficient policy enforcement in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13937
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13937 None

CVE-2026-13938 - Chromium: CVE-2026-13938 Integer overflow in Fonts

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13938
MITRE
NVD
CVE Title: Chromium: CVE-2026-13938 Integer overflow in Fonts
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13938
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13938 None

CVE-2026-13940 - Chromium: CVE-2026-13940 Uninitialized Use in Cast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13940
MITRE
NVD
CVE Title: Chromium: CVE-2026-13940 Uninitialized Use in Cast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13940
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13940 None

CVE-2026-13942 - Chromium: CVE-2026-13942 Insufficient validation of untrusted input in Video Capture

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13942
MITRE
NVD
CVE Title: Chromium: CVE-2026-13942 Insufficient validation of untrusted input in Video Capture
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13942
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13942 None

CVE-2026-13941 - Chromium: CVE-2026-13941 Inappropriate implementation in SiteSettings

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13941
MITRE
NVD
CVE Title: Chromium: CVE-2026-13941 Inappropriate implementation in SiteSettings
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13941
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13941 None

CVE-2026-13945 - Chromium: CVE-2026-13945 Insufficient policy enforcement in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13945
MITRE
NVD
CVE Title: Chromium: CVE-2026-13945 Insufficient policy enforcement in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:52    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13945
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13945 None

CVE-2026-13947 - Chromium: CVE-2026-13947 Uninitialized Use in XR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13947
MITRE
NVD
CVE Title: Chromium: CVE-2026-13947 Uninitialized Use in XR
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13947
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13947 None

CVE-2026-13948 - Chromium: CVE-2026-13948 Insufficient policy enforcement in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13948
MITRE
NVD
CVE Title: Chromium: CVE-2026-13948 Insufficient policy enforcement in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:39    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13948
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13948 None

CVE-2026-13950 - Chromium: CVE-2026-13950 Uninitialized Use in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13950
MITRE
NVD
CVE Title: Chromium: CVE-2026-13950 Uninitialized Use in GPU
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13950
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13950 None

CVE-2026-13951 - Chromium: CVE-2026-13951 Policy bypass in USB

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13951
MITRE
NVD
CVE Title: Chromium: CVE-2026-13951 Policy bypass in USB
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13951
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13951 None

CVE-2026-13952 - Chromium: CVE-2026-13952 Inappropriate implementation in PerformanceAPIs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13952
MITRE
NVD
CVE Title: Chromium: CVE-2026-13952 Inappropriate implementation in PerformanceAPIs
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13952
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13952 None

CVE-2026-13953 - Chromium: CVE-2026-13953 Inappropriate implementation in SplitView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13953
MITRE
NVD
CVE Title: Chromium: CVE-2026-13953 Inappropriate implementation in SplitView
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13953
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13953 None

CVE-2026-13956 - Chromium: CVE-2026-13956 Incorrect security UI in PageInfo

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13956
MITRE
NVD
CVE Title: Chromium: CVE-2026-13956 Incorrect security UI in PageInfo
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13956
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13956 None

CVE-2026-13958 - Chromium: CVE-2026-13958 Uninitialized Use in Codecs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13958
MITRE
NVD
CVE Title: Chromium: CVE-2026-13958 Uninitialized Use in Codecs
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13958
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13958 None

CVE-2026-13957 - Chromium: CVE-2026-13957 Incorrect security UI in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13957
MITRE
NVD
CVE Title: Chromium: CVE-2026-13957 Incorrect security UI in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13957
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13957 None

CVE-2026-13959 - Chromium: CVE-2026-13959 Insufficient validation of untrusted input in Blink

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13959
MITRE
NVD
CVE Title: Chromium: CVE-2026-13959 Insufficient validation of untrusted input in Blink
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13959
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13959 None

CVE-2026-13960 - Chromium: CVE-2026-13960 Inappropriate implementation in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13960
MITRE
NVD
CVE Title: Chromium: CVE-2026-13960 Inappropriate implementation in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:06    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13960
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13960 None

CVE-2026-13962 - Chromium: CVE-2026-13962 Insufficient data validation in PDF

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13962
MITRE
NVD
CVE Title: Chromium: CVE-2026-13962 Insufficient data validation in PDF
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:07    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13962
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13962 None

CVE-2026-13963 - Chromium: CVE-2026-13963 Inappropriate implementation in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13963
MITRE
NVD
CVE Title: Chromium: CVE-2026-13963 Inappropriate implementation in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:08    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13963
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13963 None

CVE-2026-13965 - Chromium: CVE-2026-13965 Use after free in Oilpan

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13965
MITRE
NVD
CVE Title: Chromium: CVE-2026-13965 Use after free in Oilpan
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13965
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13965 None

CVE-2026-13967 - Chromium: CVE-2026-13967 Type Confusion in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13967
MITRE
NVD
CVE Title: Chromium: CVE-2026-13967 Type Confusion in V8
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13967
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13967 None

CVE-2026-13966 - Chromium: CVE-2026-13966 Inappropriate implementation in History

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13966
MITRE
NVD
CVE Title: Chromium: CVE-2026-13966 Inappropriate implementation in History
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:11    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13966
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13966 None

CVE-2026-13968 - Chromium: CVE-2026-13968 Insufficient validation of untrusted input in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13968
MITRE
NVD
CVE Title: Chromium: CVE-2026-13968 Insufficient validation of untrusted input in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13968
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13968 None

CVE-2026-13970 - Chromium: CVE-2026-13970 Uninitialized Use in Media

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13970
MITRE
NVD
CVE Title: Chromium: CVE-2026-13970 Uninitialized Use in Media
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13970
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13970 None

CVE-2026-13972 - Chromium: CVE-2026-13972 Inappropriate implementation in Paint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13972
MITRE
NVD
CVE Title: Chromium: CVE-2026-13972 Inappropriate implementation in Paint
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13972
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13972 None

CVE-2026-13971 - Chromium: CVE-2026-13971 Uninitialized Use in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13971
MITRE
NVD
CVE Title: Chromium: CVE-2026-13971 Uninitialized Use in Skia
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13971
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13971 None

CVE-2026-13973 - Chromium: CVE-2026-13973 Inappropriate implementation in UI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13973
MITRE
NVD
CVE Title: Chromium: CVE-2026-13973 Inappropriate implementation in UI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13973
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13973 None

CVE-2026-13976 - Chromium: CVE-2026-13976 Heap buffer overflow in Storage

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13976
MITRE
NVD
CVE Title: Chromium: CVE-2026-13976 Heap buffer overflow in Storage
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13976
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13976 None

CVE-2026-13977 - Chromium: CVE-2026-13977 Inappropriate implementation in HTMLParser

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13977
MITRE
NVD
CVE Title: Chromium: CVE-2026-13977 Inappropriate implementation in HTMLParser
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:21    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13977
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13977 None

CVE-2026-13978 - Chromium: CVE-2026-13978 Insufficient policy enforcement in PageInfo

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13978
MITRE
NVD
CVE Title: Chromium: CVE-2026-13978 Insufficient policy enforcement in PageInfo
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13978
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13978 None

CVE-2026-13979 - Chromium: CVE-2026-13979 Inappropriate implementation in Paint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13979
MITRE
NVD
CVE Title: Chromium: CVE-2026-13979 Inappropriate implementation in Paint
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13979
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13979 None

CVE-2026-13982 - Chromium: CVE-2026-13982 Incorrect security UI in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13982
MITRE
NVD
CVE Title: Chromium: CVE-2026-13982 Incorrect security UI in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13982
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13982 None

CVE-2026-13984 - Chromium: CVE-2026-13984 Incorrect security UI in TabStrip

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13984
MITRE
NVD
CVE Title: Chromium: CVE-2026-13984 Incorrect security UI in TabStrip
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:25    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13984
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13984 None

CVE-2026-13985 - Chromium: CVE-2026-13985 Inappropriate implementation in MediaCapture

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13985
MITRE
NVD
CVE Title: Chromium: CVE-2026-13985 Inappropriate implementation in MediaCapture
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:26    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13985
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13985 None

CVE-2026-13986 - Chromium: CVE-2026-13986 Inappropriate implementation in Media UI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13986
MITRE
NVD
CVE Title: Chromium: CVE-2026-13986 Inappropriate implementation in Media UI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13986
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13986 None

CVE-2026-13989 - Chromium: CVE-2026-13989 Insufficient policy enforcement in PageInfo

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13989
MITRE
NVD
CVE Title: Chromium: CVE-2026-13989 Insufficient policy enforcement in PageInfo
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13989
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13989 None

CVE-2026-13988 - Chromium: CVE-2026-13988 Inappropriate implementation in Paint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13988
MITRE
NVD
CVE Title: Chromium: CVE-2026-13988 Inappropriate implementation in Paint
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13988
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13988 None

CVE-2026-13993 - Chromium: CVE-2026-13993 Incorrect security UI in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13993
MITRE
NVD
CVE Title: Chromium: CVE-2026-13993 Incorrect security UI in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:32    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13993
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13993 None

CVE-2026-13990 - Chromium: CVE-2026-13990 Insufficient validation of untrusted input in DataTransfer

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13990
MITRE
NVD
CVE Title: Chromium: CVE-2026-13990 Insufficient validation of untrusted input in DataTransfer
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13990
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13990 None

CVE-2026-13996 - Chromium: CVE-2026-13996 Incorrect security UI in Permissions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13996
MITRE
NVD
CVE Title: Chromium: CVE-2026-13996 Incorrect security UI in Permissions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13996
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13996 None

CVE-2026-13999 - Chromium: CVE-2026-13999 Inappropriate implementation in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13999
MITRE
NVD
CVE Title: Chromium: CVE-2026-13999 Inappropriate implementation in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13999
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13999 None

CVE-2026-14000 - Chromium: CVE-2026-14000 Inappropriate implementation in XML

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14000
MITRE
NVD
CVE Title: Chromium: CVE-2026-14000 Inappropriate implementation in XML
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14000
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14000 None

CVE-2026-14001 - Chromium: CVE-2026-14001 Inappropriate implementation in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14001
MITRE
NVD
CVE Title: Chromium: CVE-2026-14001 Inappropriate implementation in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14001
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14001 None

CVE-2026-14002 - Chromium: CVE-2026-14002 Inappropriate implementation in Geolocation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14002
MITRE
NVD
CVE Title: Chromium: CVE-2026-14002 Inappropriate implementation in Geolocation
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14002
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14002 None

CVE-2026-14003 - Chromium: CVE-2026-14003 Insufficient policy enforcement in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14003
MITRE
NVD
CVE Title: Chromium: CVE-2026-14003 Insufficient policy enforcement in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14003
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14003 None

CVE-2026-14004 - Chromium: CVE-2026-14004 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14004
MITRE
NVD
CVE Title: Chromium: CVE-2026-14004 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14004
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14004 None

CVE-2026-14006 - Chromium: CVE-2026-14006 Use after free in Navigation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14006
MITRE
NVD
CVE Title: Chromium: CVE-2026-14006 Use after free in Navigation
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14006
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14006 None

CVE-2026-14007 - Chromium: CVE-2026-14007 Insufficient policy enforcement in PermissionsPolicy

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14007
MITRE
NVD
CVE Title: Chromium: CVE-2026-14007 Insufficient policy enforcement in PermissionsPolicy
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14007
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14007 None

CVE-2026-14008 - Chromium: CVE-2026-14008 Uninitialized Use in WebXR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14008
MITRE
NVD
CVE Title: Chromium: CVE-2026-14008 Uninitialized Use in WebXR
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14008
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14008 None

CVE-2026-14009 - Chromium: CVE-2026-14009 Insufficient data validation in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14009
MITRE
NVD
CVE Title: Chromium: CVE-2026-14009 Insufficient data validation in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14009
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14009 None

CVE-2026-14010 - Chromium: CVE-2026-14010 Uninitialized Use in Codecs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14010
MITRE
NVD
CVE Title: Chromium: CVE-2026-14010 Uninitialized Use in Codecs
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14010
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14010 None

CVE-2026-14011 - Chromium: CVE-2026-14011 Out of bounds read in SurfaceCapture

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14011
MITRE
NVD
CVE Title: Chromium: CVE-2026-14011 Out of bounds read in SurfaceCapture
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14011
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14011 None

CVE-2026-14012 - Chromium: CVE-2026-14012 Side-channel information leakage in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14012
MITRE
NVD
CVE Title: Chromium: CVE-2026-14012 Side-channel information leakage in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14012
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14012 None

CVE-2026-14013 - Chromium: CVE-2026-14013 Inappropriate implementation in SVG

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14013
MITRE
NVD
CVE Title: Chromium: CVE-2026-14013 Inappropriate implementation in SVG
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14013
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14013 None

CVE-2026-14014 - Chromium: CVE-2026-14014 Inappropriate implementation in Paint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14014
MITRE
NVD
CVE Title: Chromium: CVE-2026-14014 Inappropriate implementation in Paint
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:52    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14014
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14014 None

CVE-2026-14015 - Chromium: CVE-2026-14015 Inappropriate implementation in WebRTC

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14015
MITRE
NVD
CVE Title: Chromium: CVE-2026-14015 Inappropriate implementation in WebRTC
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14015
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14015 None

CVE-2026-14018 - Chromium: CVE-2026-14018 Use after free in Updater

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14018
MITRE
NVD
CVE Title: Chromium: CVE-2026-14018 Use after free in Updater
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14018
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14018 None

CVE-2026-14016 - Chromium: CVE-2026-14016 Insufficient policy enforcement in SVG

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14016
MITRE
NVD
CVE Title: Chromium: CVE-2026-14016 Insufficient policy enforcement in SVG
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:45    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14016
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14016 None

CVE-2026-14017 - Chromium: CVE-2026-14017 Inappropriate implementation in Navigation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14017
MITRE
NVD
CVE Title: Chromium: CVE-2026-14017 Inappropriate implementation in Navigation
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14017
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14017 None

CVE-2026-14019 - Chromium: CVE-2026-14019 Inappropriate implementation in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14019
MITRE
NVD
CVE Title: Chromium: CVE-2026-14019 Inappropriate implementation in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14019
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14019 None

CVE-2026-14020 - Chromium: CVE-2026-14020 Insufficient validation of untrusted input in WebXR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14020
MITRE
NVD
CVE Title: Chromium: CVE-2026-14020 Insufficient validation of untrusted input in WebXR
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14020
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14020 None

CVE-2026-14021 - Chromium: CVE-2026-14021 Insufficient validation of untrusted input in StorageAccessAPI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14021
MITRE
NVD
CVE Title: Chromium: CVE-2026-14021 Insufficient validation of untrusted input in StorageAccessAPI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14021
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14021 None

CVE-2026-14022 - Chromium: CVE-2026-14022 Insufficient validation of untrusted input in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14022
MITRE
NVD
CVE Title: Chromium: CVE-2026-14022 Insufficient validation of untrusted input in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14022
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14022 None

CVE-2026-14023 - Chromium: CVE-2026-14023 Insufficient validation of untrusted input in SanitizerAPI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14023
MITRE
NVD
CVE Title: Chromium: CVE-2026-14023 Insufficient validation of untrusted input in SanitizerAPI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14023
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14023 None

CVE-2026-14025 - Chromium: CVE-2026-14025 Use after free in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14025
MITRE
NVD
CVE Title: Chromium: CVE-2026-14025 Use after free in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14025
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14025 None

CVE-2026-14024 - Chromium: CVE-2026-14024 Use after free in Ozone

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14024
MITRE
NVD
CVE Title: Chromium: CVE-2026-14024 Use after free in Ozone
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14024
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14024 None

CVE-2026-14027 - Chromium: CVE-2026-14027 Use after free in SignIn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14027
MITRE
NVD
CVE Title: Chromium: CVE-2026-14027 Use after free in SignIn
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14027
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14027 None

CVE-2026-14031 - Chromium: CVE-2026-14031 Incorrect security UI in File Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14031
MITRE
NVD
CVE Title: Chromium: CVE-2026-14031 Incorrect security UI in File Input
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14031
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14031 None

CVE-2026-14032 - Chromium: CVE-2026-14032 Use after free in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14032
MITRE
NVD
CVE Title: Chromium: CVE-2026-14032 Use after free in Bluetooth
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:11    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14032
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14032 None

CVE-2026-14030 - Chromium: CVE-2026-14030 Incorrect security UI in SplitView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14030
MITRE
NVD
CVE Title: Chromium: CVE-2026-14030 Incorrect security UI in SplitView
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:09    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14030
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14030 None

CVE-2026-14034 - Chromium: CVE-2026-14034 Inappropriate implementation in WebXR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14034
MITRE
NVD
CVE Title: Chromium: CVE-2026-14034 Inappropriate implementation in WebXR
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14034
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14034 None

CVE-2026-14033 - Chromium: CVE-2026-14033 Insufficient policy enforcement in Media

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14033
MITRE
NVD
CVE Title: Chromium: CVE-2026-14033 Insufficient policy enforcement in Media
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14033
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14033 None

CVE-2026-14035 - Chromium: CVE-2026-14035 Insufficient policy enforcement in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14035
MITRE
NVD
CVE Title: Chromium: CVE-2026-14035 Insufficient policy enforcement in Bluetooth
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:15    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14035
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14035 None

CVE-2026-14036 - Chromium: CVE-2026-14036 Insufficient policy enforcement in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14036
MITRE
NVD
CVE Title: Chromium: CVE-2026-14036 Insufficient policy enforcement in Bluetooth
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14036
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14036 None

CVE-2026-14038 - Chromium: CVE-2026-14038 Insufficient validation of untrusted input in New Tab Page

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14038
MITRE
NVD
CVE Title: Chromium: CVE-2026-14038 Insufficient validation of untrusted input in New Tab Page
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:18    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14038
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14038 None

CVE-2026-14039 - Chromium: CVE-2026-14039 Insufficient policy enforcement in GetUserMedia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14039
MITRE
NVD
CVE Title: Chromium: CVE-2026-14039 Insufficient policy enforcement in GetUserMedia
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14039
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14039 None

CVE-2026-14037 - Chromium: CVE-2026-14037 Insufficient policy enforcement in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14037
MITRE
NVD
CVE Title: Chromium: CVE-2026-14037 Insufficient policy enforcement in GPU
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14037
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14037 None

CVE-2026-14040 - Chromium: CVE-2026-14040 Use after free in BrowserTag

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14040
MITRE
NVD
CVE Title: Chromium: CVE-2026-14040 Use after free in BrowserTag
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:21    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14040
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14040 None

CVE-2026-14042 - Chromium: CVE-2026-14042 Inappropriate implementation in Isolated Web Apps

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14042
MITRE
NVD
CVE Title: Chromium: CVE-2026-14042 Inappropriate implementation in Isolated Web Apps
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14042
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14042 None

CVE-2026-14041 - Chromium: CVE-2026-14041 Insufficient policy enforcement in Serial

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14041
MITRE
NVD
CVE Title: Chromium: CVE-2026-14041 Insufficient policy enforcement in Serial
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14041
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14041 None

CVE-2026-14043 - Chromium: CVE-2026-14043 Use after free in GetUserMedia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14043
MITRE
NVD
CVE Title: Chromium: CVE-2026-14043 Use after free in GetUserMedia
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14043
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14043 None

CVE-2026-14044 - Chromium: CVE-2026-14044 Use after free in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14044
MITRE
NVD
CVE Title: Chromium: CVE-2026-14044 Use after free in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:25    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14044
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14044 None

CVE-2026-14045 - Chromium: CVE-2026-14045 Insufficient validation of untrusted input in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14045
MITRE
NVD
CVE Title: Chromium: CVE-2026-14045 Insufficient validation of untrusted input in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:27    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14045
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14045 None

CVE-2026-14046 - Chromium: CVE-2026-14046 Inappropriate implementation in CustomTabs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14046
MITRE
NVD
CVE Title: Chromium: CVE-2026-14046 Inappropriate implementation in CustomTabs
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14046
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14046 None

CVE-2026-14047 - Chromium: CVE-2026-14047 Insufficient policy enforcement in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14047
MITRE
NVD
CVE Title: Chromium: CVE-2026-14047 Insufficient policy enforcement in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14047
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14047 None

CVE-2026-14048 - Chromium: CVE-2026-14048 Use after free in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14048
MITRE
NVD
CVE Title: Chromium: CVE-2026-14048 Use after free in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:30    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14048
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14048 None

CVE-2026-14049 - Chromium: CVE-2026-14049 Inappropriate implementation in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14049
MITRE
NVD
CVE Title: Chromium: CVE-2026-14049 Inappropriate implementation in GPU
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14049
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14049 None

CVE-2026-14050 - Chromium: CVE-2026-14050 Insufficient policy enforcement in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14050
MITRE
NVD
CVE Title: Chromium: CVE-2026-14050 Insufficient policy enforcement in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14050
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14050 None

CVE-2026-14051 - Chromium: CVE-2026-14051 Uninitialized Use in GamepadAPI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14051
MITRE
NVD
CVE Title: Chromium: CVE-2026-14051 Uninitialized Use in GamepadAPI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:34    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14051
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14051 None

CVE-2026-14052 - Chromium: CVE-2026-14052 Insufficient policy enforcement in FileSystem

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14052
MITRE
NVD
CVE Title: Chromium: CVE-2026-14052 Insufficient policy enforcement in FileSystem
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14052
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14052 None

CVE-2026-14055 - Chromium: CVE-2026-14055 Insufficient validation of untrusted input in Device Trust

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14055
MITRE
NVD
CVE Title: Chromium: CVE-2026-14055 Insufficient validation of untrusted input in Device Trust
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:39    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14055
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14055 None

CVE-2026-14053 - Chromium: CVE-2026-14053 Insufficient policy enforcement in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14053
MITRE
NVD
CVE Title: Chromium: CVE-2026-14053 Insufficient policy enforcement in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14053
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14053 None

CVE-2026-14056 - Chromium: CVE-2026-14056 Insufficient validation of untrusted input in Media

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14056
MITRE
NVD
CVE Title: Chromium: CVE-2026-14056 Insufficient validation of untrusted input in Media
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14056
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14056 None

CVE-2026-14054 - Chromium: CVE-2026-14054 Insufficient policy enforcement in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14054
MITRE
NVD
CVE Title: Chromium: CVE-2026-14054 Insufficient policy enforcement in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14054
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14054 None

CVE-2026-14057 - Chromium: CVE-2026-14057 Insufficient policy enforcement in FedCM

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14057
MITRE
NVD
CVE Title: Chromium: CVE-2026-14057 Insufficient policy enforcement in FedCM
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14057
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14057 None

CVE-2026-14058 - Chromium: CVE-2026-14058 Policy bypass in Parser

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14058
MITRE
NVD
CVE Title: Chromium: CVE-2026-14058 Policy bypass in Parser
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:42    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14058
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14058 None

CVE-2026-14060 - Chromium: CVE-2026-14060 Insufficient validation of untrusted input in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14060
MITRE
NVD
CVE Title: Chromium: CVE-2026-14060 Insufficient validation of untrusted input in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:45    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14060
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14060 None

CVE-2026-14062 - Chromium: CVE-2026-14062 Inappropriate implementation in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14062
MITRE
NVD
CVE Title: Chromium: CVE-2026-14062 Inappropriate implementation in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14062
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14062 None

CVE-2026-14059 - Chromium: CVE-2026-14059 Insufficient policy enforcement in Related-Website-Sets

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14059
MITRE
NVD
CVE Title: Chromium: CVE-2026-14059 Insufficient policy enforcement in Related-Website-Sets
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14059
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14059 None

CVE-2026-14061 - Chromium: CVE-2026-14061 Inappropriate implementation in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14061
MITRE
NVD
CVE Title: Chromium: CVE-2026-14061 Inappropriate implementation in Dawn
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14061
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14061 None

CVE-2026-14063 - Chromium: CVE-2026-14063 Out of bounds memory access in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14063
MITRE
NVD
CVE Title: Chromium: CVE-2026-14063 Out of bounds memory access in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14063
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14063 None

CVE-2026-14064 - Chromium: CVE-2026-14064 Use after free in PageInfo

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14064
MITRE
NVD
CVE Title: Chromium: CVE-2026-14064 Use after free in PageInfo
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14064
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14064 None

CVE-2026-14065 - Chromium: CVE-2026-14065 Insufficient validation of untrusted input in PageInfo

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14065
MITRE
NVD
CVE Title: Chromium: CVE-2026-14065 Insufficient validation of untrusted input in PageInfo
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14065
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14065 None

CVE-2026-14068 - Chromium: CVE-2026-14068 Inappropriate implementation in Omnibox

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14068
MITRE
NVD
CVE Title: Chromium: CVE-2026-14068 Inappropriate implementation in Omnibox
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:52    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14068
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14068 None

CVE-2026-14026 - Chromium: CVE-2026-14026 Incorrect security UI in SplitView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14026
MITRE
NVD
CVE Title: Chromium: CVE-2026-14026 Incorrect security UI in SplitView
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:06    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14026
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14026 None

CVE-2026-14069 - Chromium: CVE-2026-14069 Integer overflow in WebNN

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14069
MITRE
NVD
CVE Title: Chromium: CVE-2026-14069 Integer overflow in WebNN
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14069
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14069 None

CVE-2026-14070 - Chromium: CVE-2026-14070 Uninitialized Use in WebNN

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14070
MITRE
NVD
CVE Title: Chromium: CVE-2026-14070 Uninitialized Use in WebNN
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14070
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14070 None

CVE-2026-14072 - Chromium: CVE-2026-14072 Incorrect security UI in SplitView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14072
MITRE
NVD
CVE Title: Chromium: CVE-2026-14072 Incorrect security UI in SplitView
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14072
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14072 None

CVE-2026-14071 - Chromium: CVE-2026-14071 Side-channel information leakage in WebAudio

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14071
MITRE
NVD
CVE Title: Chromium: CVE-2026-14071 Side-channel information leakage in WebAudio
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14071
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14071 None

CVE-2026-14073 - Chromium: CVE-2026-14073 Insufficient policy enforcement in WebXR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14073
MITRE
NVD
CVE Title: Chromium: CVE-2026-14073 Insufficient policy enforcement in WebXR
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14073
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14073 None

CVE-2026-14076 - Chromium: CVE-2026-14076 Policy bypass in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14076
MITRE
NVD
CVE Title: Chromium: CVE-2026-14076 Policy bypass in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14076
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14076 None

CVE-2026-14077 - Chromium: CVE-2026-14077 Incorrect security UI in Select

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14077
MITRE
NVD
CVE Title: Chromium: CVE-2026-14077 Incorrect security UI in Select
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:02    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14077
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14077 None

CVE-2026-14078 - Chromium: CVE-2026-14078 Policy bypass in WebRTC

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14078
MITRE
NVD
CVE Title: Chromium: CVE-2026-14078 Policy bypass in WebRTC
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14078
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14078 None

CVE-2026-14079 - Chromium: CVE-2026-14079 Policy bypass in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14079
MITRE
NVD
CVE Title: Chromium: CVE-2026-14079 Policy bypass in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14079
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14079 None

CVE-2026-14081 - Chromium: CVE-2026-14081 Insufficient policy enforcement in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14081
MITRE
NVD
CVE Title: Chromium: CVE-2026-14081 Insufficient policy enforcement in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:07    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14081
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14081 None

CVE-2026-14080 - Chromium: CVE-2026-14080 Insufficient validation of untrusted input in TabSwitcher

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14080
MITRE
NVD
CVE Title: Chromium: CVE-2026-14080 Insufficient validation of untrusted input in TabSwitcher
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14080
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14080 None

CVE-2026-14082 - Chromium: CVE-2026-14082 Race in Storage

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14082
MITRE
NVD
CVE Title: Chromium: CVE-2026-14082 Race in Storage
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14082
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14082 None

CVE-2026-14074 - Chromium: CVE-2026-14074 Side-channel information leakage in WebAuthentication

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14074
MITRE
NVD
CVE Title: Chromium: CVE-2026-14074 Side-channel information leakage in WebAuthentication
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14074
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14074 None

CVE-2026-14083 - Chromium: CVE-2026-14083 Insufficient validation of untrusted input in HTML

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14083
MITRE
NVD
CVE Title: Chromium: CVE-2026-14083 Insufficient validation of untrusted input in HTML
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:09    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14083
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14083 None

CVE-2026-14084 - Chromium: CVE-2026-14084 Insufficient validation of untrusted input in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14084
MITRE
NVD
CVE Title: Chromium: CVE-2026-14084 Insufficient validation of untrusted input in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14084
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14084 None

CVE-2026-14085 - Chromium: CVE-2026-14085 Side-channel information leakage in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14085
MITRE
NVD
CVE Title: Chromium: CVE-2026-14085 Side-channel information leakage in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:11    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14085
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14085 None

CVE-2026-14086 - Chromium: CVE-2026-14086 Insufficient policy enforcement in HID

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14086
MITRE
NVD
CVE Title: Chromium: CVE-2026-14086 Insufficient policy enforcement in HID
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14086
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14086 None

CVE-2026-14087 - Chromium: CVE-2026-14087 Insufficient validation of untrusted input in WebNN

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14087
MITRE
NVD
CVE Title: Chromium: CVE-2026-14087 Insufficient validation of untrusted input in WebNN
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14087
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14087 None

CVE-2026-14089 - Chromium: CVE-2026-14089 Insufficient validation of untrusted input in PopupBlocker

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14089
MITRE
NVD
CVE Title: Chromium: CVE-2026-14089 Insufficient validation of untrusted input in PopupBlocker
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14089
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14089 None

CVE-2026-14088 - Chromium: CVE-2026-14088 Uninitialized Use in Canvas

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14088
MITRE
NVD
CVE Title: Chromium: CVE-2026-14088 Uninitialized Use in Canvas
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:15    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14088
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14088 None

CVE-2026-14090 - Chromium: CVE-2026-14090 Out of bounds read in CameraCapture

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14090
MITRE
NVD
CVE Title: Chromium: CVE-2026-14090 Out of bounds read in CameraCapture
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T00:29:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14090
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14090 None

CVE-2026-14092 - Chromium: CVE-2026-14092 Insufficient policy enforcement in Privacy

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14092
MITRE
NVD
CVE Title: Chromium: CVE-2026-14092 Insufficient policy enforcement in Privacy
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14092
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14092 None

CVE-2026-14095 - Chromium: CVE-2026-14095 Insufficient validation of untrusted input in Browser

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14095
MITRE
NVD
CVE Title: Chromium: CVE-2026-14095 Insufficient validation of untrusted input in Browser
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14095
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14095 None

CVE-2026-14093 - Chromium: CVE-2026-14093 Use after free in Cast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14093
MITRE
NVD
CVE Title: Chromium: CVE-2026-14093 Use after free in Cast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:21    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14093
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14093 None

CVE-2026-14094 - Chromium: CVE-2026-14094 Use after free in Installer

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14094
MITRE
NVD
CVE Title: Chromium: CVE-2026-14094 Use after free in Installer
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14094
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14094 None

CVE-2026-14097 - Chromium: CVE-2026-14097 Inappropriate implementation in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14097
MITRE
NVD
CVE Title: Chromium: CVE-2026-14097 Inappropriate implementation in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14097
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14097 None

CVE-2026-14100 - Chromium: CVE-2026-14100 Insufficient data validation in NetworkCache

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14100
MITRE
NVD
CVE Title: Chromium: CVE-2026-14100 Insufficient data validation in NetworkCache
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:27    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14100
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14100 None

CVE-2026-14102 - Chromium: CVE-2026-14102 Use after free in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14102
MITRE
NVD
CVE Title: Chromium: CVE-2026-14102 Use after free in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14102
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14102 None

CVE-2026-14104 - Chromium: CVE-2026-14104 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14104
MITRE
NVD
CVE Title: Chromium: CVE-2026-14104 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:30    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14104
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14104 None

CVE-2026-14103 - Chromium: CVE-2026-14103 Use after free in SSL

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14103
MITRE
NVD
CVE Title: Chromium: CVE-2026-14103 Use after free in SSL
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14103
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14103 None

CVE-2026-14098 - Chromium: CVE-2026-14098 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14098
MITRE
NVD
CVE Title: Chromium: CVE-2026-14098 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:26    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14098
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14098 None

CVE-2026-14105 - Chromium: CVE-2026-14105 Insufficient policy enforcement in Speech

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14105
MITRE
NVD
CVE Title: Chromium: CVE-2026-14105 Insufficient policy enforcement in Speech
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14105
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14105 None

CVE-2026-14106 - Chromium: CVE-2026-14106 Insufficient validation of untrusted input in Text

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14106
MITRE
NVD
CVE Title: Chromium: CVE-2026-14106 Insufficient validation of untrusted input in Text
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14106
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14106 None

CVE-2026-14091 - Chromium: CVE-2026-14091 Use after free in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14091
MITRE
NVD
CVE Title: Chromium: CVE-2026-14091 Use after free in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14091
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14091 None

CVE-2026-14107 - Chromium: CVE-2026-14107 Use after free in Scheduling

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14107
MITRE
NVD
CVE Title: Chromium: CVE-2026-14107 Use after free in Scheduling
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:34    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14107
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14107 None

CVE-2026-14108 - Chromium: CVE-2026-14108 Use after free in PDFium

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14108
MITRE
NVD
CVE Title: Chromium: CVE-2026-14108 Use after free in PDFium
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14108
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14108 None

CVE-2026-14109 - Chromium: CVE-2026-14109 Insufficient policy enforcement in Mojo

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14109
MITRE
NVD
CVE Title: Chromium: CVE-2026-14109 Insufficient policy enforcement in Mojo
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14109
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14109 None

CVE-2026-14110 - Chromium: CVE-2026-14110 Inappropriate implementation in DarkMode

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14110
MITRE
NVD
CVE Title: Chromium: CVE-2026-14110 Inappropriate implementation in DarkMode
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14110
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14110 None

CVE-2026-14111 - Chromium: CVE-2026-14111 Use after free in WebProtect

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14111
MITRE
NVD
CVE Title: Chromium: CVE-2026-14111 Use after free in WebProtect
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:39    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14111
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14111 None

CVE-2026-14113 - Chromium: CVE-2026-14113 Use after free in Updater

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14113
MITRE
NVD
CVE Title: Chromium: CVE-2026-14113 Use after free in Updater
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14113
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14113 None

CVE-2026-14115 - Chromium: CVE-2026-14115 Insufficient validation of untrusted input in Cast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14115
MITRE
NVD
CVE Title: Chromium: CVE-2026-14115 Insufficient validation of untrusted input in Cast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14115
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14115 None

CVE-2026-14112 - Chromium: CVE-2026-14112 Inappropriate implementation in Enterprise

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14112
MITRE
NVD
CVE Title: Chromium: CVE-2026-14112 Inappropriate implementation in Enterprise
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14112
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14112 None

CVE-2026-14117 - Chromium: CVE-2026-14117 Insufficient validation of untrusted input in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14117
MITRE
NVD
CVE Title: Chromium: CVE-2026-14117 Insufficient validation of untrusted input in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14117
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14117 None

CVE-2026-14118 - Chromium: CVE-2026-14118 Insufficient data validation in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14118
MITRE
NVD
CVE Title: Chromium: CVE-2026-14118 Insufficient data validation in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14118
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14118 None

CVE-2026-14119 - Chromium: CVE-2026-14119 Type Confusion in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14119
MITRE
NVD
CVE Title: Chromium: CVE-2026-14119 Type Confusion in Bluetooth
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14119
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14119 None

CVE-2026-14120 - Chromium: CVE-2026-14120 Inappropriate implementation in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14120
MITRE
NVD
CVE Title: Chromium: CVE-2026-14120 Inappropriate implementation in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14120
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14120 None

CVE-2026-14116 - Chromium: CVE-2026-14116 Insufficient validation of untrusted input in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14116
MITRE
NVD
CVE Title: Chromium: CVE-2026-14116 Insufficient validation of untrusted input in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:56    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14116
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14116 None

CVE-2026-14121 - Chromium: CVE-2026-14121 Use after free in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14121
MITRE
NVD
CVE Title: Chromium: CVE-2026-14121 Use after free in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14121
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14121 None

CVE-2026-14124 - Chromium: CVE-2026-14124 Inappropriate implementation in CredentialProvider

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14124
MITRE
NVD
CVE Title: Chromium: CVE-2026-14124 Inappropriate implementation in CredentialProvider
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14124
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14124 None

CVE-2026-14125 - Chromium: CVE-2026-14125 Uninitialized Use in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14125
MITRE
NVD
CVE Title: Chromium: CVE-2026-14125 Uninitialized Use in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14125
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14125 None

CVE-2026-14122 - Chromium: CVE-2026-14122 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14122
MITRE
NVD
CVE Title: Chromium: CVE-2026-14122 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:52    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14122
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14122 None

CVE-2026-14127 - Chromium: CVE-2026-14127 Inappropriate implementation in Printing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14127
MITRE
NVD
CVE Title: Chromium: CVE-2026-14127 Inappropriate implementation in Printing
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14127
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14127 None

CVE-2026-14129 - Chromium: CVE-2026-14129 Incorrect security UI in PreviewTab

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14129
MITRE
NVD
CVE Title: Chromium: CVE-2026-14129 Incorrect security UI in PreviewTab
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14129
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14129 None

CVE-2026-14130 - Chromium: CVE-2026-14130 Incorrect security UI in Omnibox

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14130
MITRE
NVD
CVE Title: Chromium: CVE-2026-14130 Incorrect security UI in Omnibox
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14130
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14130 None

CVE-2026-14133 - Chromium: CVE-2026-14133 Race in History Embeddings

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14133
MITRE
NVD
CVE Title: Chromium: CVE-2026-14133 Race in History Embeddings
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:02    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14133
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14133 None

CVE-2026-14131 - Chromium: CVE-2026-14131 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14131
MITRE
NVD
CVE Title: Chromium: CVE-2026-14131 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14131
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14131 None

CVE-2026-14132 - Chromium: CVE-2026-14132 Inappropriate implementation in WebXR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14132
MITRE
NVD
CVE Title: Chromium: CVE-2026-14132 Inappropriate implementation in WebXR
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14132
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14132 None

CVE-2026-14134 - Chromium: CVE-2026-14134 Inappropriate implementation in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14134
MITRE
NVD
CVE Title: Chromium: CVE-2026-14134 Inappropriate implementation in Autofill
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14134
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14134 None

CVE-2026-14139 - Chromium: CVE-2026-14139 Inappropriate implementation in TabStrip

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14139
MITRE
NVD
CVE Title: Chromium: CVE-2026-14139 Inappropriate implementation in TabStrip
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:07    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14139
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14139 None

CVE-2026-14140 - Chromium: CVE-2026-14140 Insufficient validation of untrusted input in Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14140
MITRE
NVD
CVE Title: Chromium: CVE-2026-14140 Insufficient validation of untrusted input in Input
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:08    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14140
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14140 None

CVE-2026-14141 - Chromium: CVE-2026-14141 Incorrect security UI in Document Picture-in-Picture

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14141
MITRE
NVD
CVE Title: Chromium: CVE-2026-14141 Incorrect security UI in Document Picture-in-Picture
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:09    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14141
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14141 None

CVE-2026-14142 - Chromium: CVE-2026-14142 Inappropriate implementation in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14142
MITRE
NVD
CVE Title: Chromium: CVE-2026-14142 Inappropriate implementation in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14142
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14142 None

CVE-2026-14135 - Chromium: CVE-2026-14135 Insufficient validation of untrusted input in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14135
MITRE
NVD
CVE Title: Chromium: CVE-2026-14135 Insufficient validation of untrusted input in Network
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14135
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14135 None

CVE-2026-14138 - Chromium: CVE-2026-14138 Inappropriate implementation in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14138
MITRE
NVD
CVE Title: Chromium: CVE-2026-14138 Inappropriate implementation in WebAppInstalls
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14138
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14138 None

CVE-2026-14144 - Chromium: CVE-2026-14144 Incorrect security UI in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14144
MITRE
NVD
CVE Title: Chromium: CVE-2026-14144 Incorrect security UI in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14144
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14144 None

CVE-2026-14143 - Chromium: CVE-2026-14143 Incorrect security UI in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14143
MITRE
NVD
CVE Title: Chromium: CVE-2026-14143 Incorrect security UI in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:11    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14143
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14143 None

CVE-2026-14145 - Chromium: CVE-2026-14145 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14145
MITRE
NVD
CVE Title: Chromium: CVE-2026-14145 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14145
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14145 None

CVE-2026-14146 - Chromium: CVE-2026-14146 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14146
MITRE
NVD
CVE Title: Chromium: CVE-2026-14146 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:15    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14146
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14146 None

CVE-2026-14148 - Chromium: CVE-2026-14148 Type Confusion in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14148
MITRE
NVD
CVE Title: Chromium: CVE-2026-14148 Type Confusion in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14148
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14148 None

CVE-2026-14147 - Chromium: CVE-2026-14147 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14147
MITRE
NVD
CVE Title: Chromium: CVE-2026-14147 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14147
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14147 None

CVE-2026-14152 - Chromium: CVE-2026-14152 Out of bounds write in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14152
MITRE
NVD
CVE Title: Chromium: CVE-2026-14152 Out of bounds write in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14152
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14152 None

CVE-2026-14150 - Chromium: CVE-2026-14150 Insufficient validation of untrusted input in Speech

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14150
MITRE
NVD
CVE Title: Chromium: CVE-2026-14150 Insufficient validation of untrusted input in Speech
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:20    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14150
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14150 None

CVE-2026-14149 - Chromium: CVE-2026-14149 Use after free in Audio

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14149
MITRE
NVD
CVE Title: Chromium: CVE-2026-14149 Use after free in Audio
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14149
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14149 None

CVE-2026-14151 - Chromium: CVE-2026-14151 Inappropriate implementation in AI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14151
MITRE
NVD
CVE Title: Chromium: CVE-2026-14151 Inappropriate implementation in AI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:21    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14151
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14151 None

CVE-2026-14155 - Chromium: CVE-2026-14155 Insufficient policy enforcement in StorageAccessAPI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14155
MITRE
NVD
CVE Title: Chromium: CVE-2026-14155 Insufficient policy enforcement in StorageAccessAPI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:26    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14155
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14155 None

CVE-2026-14153 - Chromium: CVE-2026-14153 Inappropriate implementation in Glic

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14153
MITRE
NVD
CVE Title: Chromium: CVE-2026-14153 Inappropriate implementation in Glic
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14153
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14153 None

CVE-2026-14154 - Chromium: CVE-2026-14154 Inappropriate implementation in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14154
MITRE
NVD
CVE Title: Chromium: CVE-2026-14154 Inappropriate implementation in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:25    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14154
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14154 None

CVE-2026-14156 - Chromium: CVE-2026-14156 Policy bypass in StorageAccessAPI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14156
MITRE
NVD
CVE Title: Chromium: CVE-2026-14156 Policy bypass in StorageAccessAPI
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14156
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14156 None

CVE-2026-13961 - Chromium: CVE-2026-13961 Insufficient validation of untrusted input in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13961
MITRE
NVD
CVE Title: Chromium: CVE-2026-13961 Insufficient validation of untrusted input in DevTools
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13961
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13961 None

CVE-2026-13774 - Chromium: CVE-2026-13774 Use after free in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13774
MITRE
NVD
CVE Title: Chromium: CVE-2026-13774 Use after free in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13774
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13774 None

CVE-2026-58601 - Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58601
MITRE
NVD
CVE Title: Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability
Description:

Heap-based buffer overflow in Virtual Hard Disk (VHD) Miniport Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58601
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58601 Daejin Lee


sweetchip


Seung Chan Kim


Nguyễn Đăng Nguyễn (@MochiNishimiya) with STAR Labs SG Pte. Ltd.


CVE-2026-58602 - Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58602
MITRE
NVD
CVE Title: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel Mode Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58602
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58602 Angelboy (@scwuaptx) with DEVCORE


CVE-2026-58608 - Windows Print Spooler Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58608
MITRE
NVD
CVE Title: Windows Print Spooler Remote Code Execution Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by interacting with the Windows Print Spooler service in a way that causes it to use memory that has already been freed. By creating and then closing a printer handle without properly invalidating a related notification handle, the attacker can trigger this condition and potentially run code on the affected system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58608
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58608 Orange Tsai (@orange_8361) with DEVCORE


CVE-2026-58609 - Windows Graphics Component Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58609
MITRE
NVD
CVE Title: Windows Graphics Component Remote Code Execution Vulnerability
Description:

Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58609
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58609 Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract


CVE-2026-58610 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58610
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58610
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58610 yhw & txz


CVE-2026-58614 - Windows Kernel Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58614
MITRE
NVD
CVE Title: Windows Kernel Security Feature Bypass Vulnerability
Description:

Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

This vulnerability could allow an attacker to bypass an access control mechanism that is designed to restrict a sensitive debugging interface to administrators only.

By bypassing this check, a standard authenticated user could gain unauthorized access to functionality that is intended to be limited to highly privileged users, weakening protections that enforce administrative boundaries on debugging capabilities.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58614
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58614 Aman Gupta


CVE-2026-58618 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58618
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58618
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58618 f4 & Zhiniang Peng with HUST


CVE-2026-58631 - Windows Admin Center (WAC) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58631
MITRE
NVD
CVE Title: Windows Admin Center (WAC) Remote Code Execution Vulnerability
Description:

Improper authorization in Windows Admin Center allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58631
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Admin Center Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58631 Batuhan Er with HawkTrace


CVE-2026-58635 - Windows Narrator Braille Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58635
MITRE
NVD
CVE Title: Windows Narrator Braille Elevation of Privilege Vulnerability
Description:

Improper neutralization of special elements used in a command ('command injection') in Windows Narrator Braille allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could execute code in the security context of the “NT AUTHORITY\Network Service” account.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58635
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58635 yhw & txz


CVE-2026-58636 - Microsoft PC Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58636
MITRE
NVD
CVE Title: Microsoft PC Manager Elevation of Privilege Vulnerability
Description:

Improper link resolution before file access ('link following') in Window PC Manager allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58636
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft PC Manager Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58636 .bat


Anonymous


CVE-2026-58640 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58640
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58640
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58640 Donghyeon Oh with Patchpoint


Jonghoi Kim


Sergey immortalp0ny Tarasov with Positive Technologies


CVE-2026-58644 - Microsoft SharePoint Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58644
MITRE
NVD
CVE Title: Microsoft SharePoint Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit the vulnerability?

In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


1.1    2026-07-14T07:00:00    

The Patch for this issue was released but the CVE was inadvertently left out of the Patch Tuesday June 2026 release


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58644
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002880 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002874 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002873 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58644

CVE-2026-58647 - Microsoft PowerBI Report Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58647
MITRE
NVD
CVE Title: Microsoft PowerBI Report Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Power BI allows an authorized attacker to perform spoofing over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58647
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Power BI Report Server Release Notes (Security Update) Important Spoofing None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58647 Anonymous


CVE-2026-13777 - Chromium: CVE-2026-13777 Insufficient validation of untrusted input in iOSWeb

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13777
MITRE
NVD
CVE Title: Chromium: CVE-2026-13777 Insufficient validation of untrusted input in iOSWeb
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13777
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13777 None

CVE-2026-13778 - Chromium: CVE-2026-13778 Use after free in WebUSB

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13778
MITRE
NVD
CVE Title: Chromium: CVE-2026-13778 Use after free in WebUSB
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:26    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13778
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13778 None

CVE-2026-13788 - Chromium: CVE-2026-13788 Use after free in Fullscreen

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13788
MITRE
NVD
CVE Title: Chromium: CVE-2026-13788 Use after free in Fullscreen
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13788
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13788 None

CVE-2026-13791 - Chromium: CVE-2026-13791 Insufficient validation of untrusted input in Downloads

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13791
MITRE
NVD
CVE Title: Chromium: CVE-2026-13791 Insufficient validation of untrusted input in Downloads
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13791
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13791 None

CVE-2026-13795 - Chromium: CVE-2026-13795 Insufficient policy enforcement in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13795
MITRE
NVD
CVE Title: Chromium: CVE-2026-13795 Insufficient policy enforcement in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13795
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13795 None

CVE-2026-13785 - Chromium: CVE-2026-13785 Use after free in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13785
MITRE
NVD
CVE Title: Chromium: CVE-2026-13785 Use after free in Bluetooth
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13785
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13785 None

CVE-2026-13805 - Chromium: CVE-2026-13805 Use after free in GFX

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13805
MITRE
NVD
CVE Title: Chromium: CVE-2026-13805 Use after free in GFX
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13805
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13805 None

CVE-2026-13807 - Chromium: CVE-2026-13807 Use after free in Import

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13807
MITRE
NVD
CVE Title: Chromium: CVE-2026-13807 Use after free in Import
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13807
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13807 None

CVE-2026-13812 - Chromium: CVE-2026-13812 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13812
MITRE
NVD
CVE Title: Chromium: CVE-2026-13812 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13812
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13812 None

CVE-2026-13809 - Chromium: CVE-2026-13809 Side-channel information leakage in Safe Browsing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13809
MITRE
NVD
CVE Title: Chromium: CVE-2026-13809 Side-channel information leakage in Safe Browsing
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13809
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13809 None

CVE-2026-13808 - Chromium: CVE-2026-13808 Insufficient data validation in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13808
MITRE
NVD
CVE Title: Chromium: CVE-2026-13808 Insufficient data validation in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:02    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13808
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13808 None

CVE-2026-13816 - Chromium: CVE-2026-13816 Insufficient validation of untrusted input in File Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13816
MITRE
NVD
CVE Title: Chromium: CVE-2026-13816 Insufficient validation of untrusted input in File Input
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13816
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13816 None

CVE-2026-13813 - Chromium: CVE-2026-13813 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13813
MITRE
NVD
CVE Title: Chromium: CVE-2026-13813 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:06    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13813
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13813 None

CVE-2026-13825 - Chromium: CVE-2026-13825 Uninitialized Use in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13825
MITRE
NVD
CVE Title: Chromium: CVE-2026-13825 Uninitialized Use in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13825
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13825 None

CVE-2026-13819 - Chromium: CVE-2026-13819 Out of bounds read in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13819
MITRE
NVD
CVE Title: Chromium: CVE-2026-13819 Out of bounds read in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13819
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13819 None

CVE-2026-13822 - Chromium: CVE-2026-13822 Inappropriate implementation in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13822
MITRE
NVD
CVE Title: Chromium: CVE-2026-13822 Inappropriate implementation in Extensions
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:52    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13822
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13822 None

CVE-2026-13826 - Chromium: CVE-2026-13826 Inappropriate implementation in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13826
MITRE
NVD
CVE Title: Chromium: CVE-2026-13826 Inappropriate implementation in Autofill
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13826
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13826 None

CVE-2026-13827 - Chromium: CVE-2026-13827 Use after free in Updater

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13827
MITRE
NVD
CVE Title: Chromium: CVE-2026-13827 Use after free in Updater
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:34    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13827
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13827 None

CVE-2026-13833 - Chromium: CVE-2026-13833 Uninitialized Use in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13833
MITRE
NVD
CVE Title: Chromium: CVE-2026-13833 Uninitialized Use in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13833
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13833 None

CVE-2026-13843 - Chromium: CVE-2026-13843 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13843
MITRE
NVD
CVE Title: Chromium: CVE-2026-13843 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:09    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13843
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13843 None

CVE-2026-13842 - Chromium: CVE-2026-13842 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13842
MITRE
NVD
CVE Title: Chromium: CVE-2026-13842 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:07    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13842
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13842 None

CVE-2026-13846 - Chromium: CVE-2026-13846 Use after free in USB

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13846
MITRE
NVD
CVE Title: Chromium: CVE-2026-13846 Use after free in USB
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13846
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13846 None

CVE-2026-13847 - Chromium: CVE-2026-13847 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13847
MITRE
NVD
CVE Title: Chromium: CVE-2026-13847 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13847
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13847 None

CVE-2026-13792 - Chromium: CVE-2026-13792 Use after free in Touchbar

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13792
MITRE
NVD
CVE Title: Chromium: CVE-2026-13792 Use after free in Touchbar
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:30    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13792
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13792 None

CVE-2026-13851 - Chromium: CVE-2026-13851 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13851
MITRE
NVD
CVE Title: Chromium: CVE-2026-13851 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:56    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13851
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13851 None

CVE-2026-13852 - Chromium: CVE-2026-13852 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13852
MITRE
NVD
CVE Title: Chromium: CVE-2026-13852 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13852
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13852 None

CVE-2026-13850 - Chromium: CVE-2026-13850 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13850
MITRE
NVD
CVE Title: Chromium: CVE-2026-13850 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:11    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13850
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13850 None

CVE-2026-13856 - Chromium: CVE-2026-13856 Insufficient validation of untrusted input in Speech

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13856
MITRE
NVD
CVE Title: Chromium: CVE-2026-13856 Insufficient validation of untrusted input in Speech
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:58    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13856
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13856 None

CVE-2026-13862 - CVE-2026-13862

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13862
MITRE
NVD
CVE Title: CVE-2026-13862
Description:

CVE-2026-13862


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13862
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13862 None

CVE-2026-13863 - Chromium: CVE-2026-13863 Insufficient validation of untrusted input in CustomTabs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13863
MITRE
NVD
CVE Title: Chromium: CVE-2026-13863 Insufficient validation of untrusted input in CustomTabs
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13863
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13863 None

CVE-2026-13866 - Chromium: CVE-2026-13866 Insufficient validation of untrusted input in Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13866
MITRE
NVD
CVE Title: Chromium: CVE-2026-13866 Insufficient validation of untrusted input in Input
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13866
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13866 None

CVE-2026-13868 - Chromium: CVE-2026-13868 Inappropriate implementation in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13868
MITRE
NVD
CVE Title: Chromium: CVE-2026-13868 Inappropriate implementation in Network
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:02    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13868
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13868 None

CVE-2026-13870 - Chromium: CVE-2026-13870 Use after free in WebView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13870
MITRE
NVD
CVE Title: Chromium: CVE-2026-13870 Use after free in WebView
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13870
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13870 None

CVE-2026-13878 - Chromium: CVE-2026-13878 Use after free in Bluetooth

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13878
MITRE
NVD
CVE Title: Chromium: CVE-2026-13878 Use after free in Bluetooth
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13878
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13878 None

CVE-2026-13872 - Chromium: CVE-2026-13872 Insufficient validation of untrusted input in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13872
MITRE
NVD
CVE Title: Chromium: CVE-2026-13872 Insufficient validation of untrusted input in WebAppInstalls
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13872
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13872 None

CVE-2026-13880 - Chromium: CVE-2026-13880 Use after free in USB

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13880
MITRE
NVD
CVE Title: Chromium: CVE-2026-13880 Use after free in USB
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:39    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13880
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13880 None

CVE-2026-13885 - Chromium: CVE-2026-13885 Use after free in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13885
MITRE
NVD
CVE Title: Chromium: CVE-2026-13885 Use after free in Skia
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:06    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13885
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13885 None

CVE-2026-13887 - Chromium: CVE-2026-13887 Insufficient policy enforcement in NFC

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13887
MITRE
NVD
CVE Title: Chromium: CVE-2026-13887 Insufficient policy enforcement in NFC
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:08    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13887
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13887 None

CVE-2026-13889 - Chromium: CVE-2026-13889 Insufficient validation of untrusted input in WebAuthentication

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13889
MITRE
NVD
CVE Title: Chromium: CVE-2026-13889 Insufficient validation of untrusted input in WebAuthentication
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13889
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13889 None

CVE-2026-13904 - Chromium: CVE-2026-13904 Incorrect security UI in Safe Browsing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13904
MITRE
NVD
CVE Title: Chromium: CVE-2026-13904 Incorrect security UI in Safe Browsing
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:18    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13904
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13904 None

CVE-2026-13892 - Chromium: CVE-2026-13892 Inappropriate implementation in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13892
MITRE
NVD
CVE Title: Chromium: CVE-2026-13892 Inappropriate implementation in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:15    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13892
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13892 None

CVE-2026-13902 - Chromium: CVE-2026-13902 Inappropriate implementation in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13902
MITRE
NVD
CVE Title: Chromium: CVE-2026-13902 Inappropriate implementation in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13902
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13902 None

CVE-2026-13905 - Chromium: CVE-2026-13905 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13905
MITRE
NVD
CVE Title: Chromium: CVE-2026-13905 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13905
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13905 None

CVE-2026-13914 - Chromium: CVE-2026-13914 Inappropriate implementation in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13914
MITRE
NVD
CVE Title: Chromium: CVE-2026-13914 Inappropriate implementation in Passwords
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13914
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13914 None

CVE-2026-13907 - Chromium: CVE-2026-13907 Inappropriate implementation in iOSWeb

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13907
MITRE
NVD
CVE Title: Chromium: CVE-2026-13907 Inappropriate implementation in iOSWeb
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:20    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13907
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13907 None

CVE-2026-13912 - Chromium: CVE-2026-13912 Incorrect security UI in Safe Browsing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13912
MITRE
NVD
CVE Title: Chromium: CVE-2026-13912 Incorrect security UI in Safe Browsing
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13912
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13912 None

CVE-2026-13910 - Chromium: CVE-2026-13910 Insufficient policy enforcement in WebXR

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13910
MITRE
NVD
CVE Title: Chromium: CVE-2026-13910 Insufficient policy enforcement in WebXR
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:09    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13910
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13910 None

CVE-2026-13913 - Chromium: CVE-2026-13913 Insufficient policy enforcement in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13913
MITRE
NVD
CVE Title: Chromium: CVE-2026-13913 Insufficient policy enforcement in Autofill
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13913
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13913 None

CVE-2026-13908 - Chromium: CVE-2026-13908 Insufficient validation of untrusted input in Omnibox

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13908
MITRE
NVD
CVE Title: Chromium: CVE-2026-13908 Insufficient validation of untrusted input in Omnibox
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13908
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13908 None

CVE-2026-13916 - Chromium: CVE-2026-13916 Inappropriate implementation in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13916
MITRE
NVD
CVE Title: Chromium: CVE-2026-13916 Inappropriate implementation in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:27    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13916
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13916 None

CVE-2026-13915 - Chromium: CVE-2026-13915 Use after free in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13915
MITRE
NVD
CVE Title: Chromium: CVE-2026-13915 Use after free in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:26    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13915
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13915 None

CVE-2026-13917 - Chromium: CVE-2026-13917 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13917
MITRE
NVD
CVE Title: Chromium: CVE-2026-13917 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13917
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13917 None

CVE-2026-13923 - Chromium: CVE-2026-13923 Uninitialized Use in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13923
MITRE
NVD
CVE Title: Chromium: CVE-2026-13923 Uninitialized Use in GPU
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13923
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13923 None

CVE-2026-13926 - Chromium: CVE-2026-13926 Insufficient validation of untrusted input in Network

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13926
MITRE
NVD
CVE Title: Chromium: CVE-2026-13926 Insufficient validation of untrusted input in Network
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13926
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13926 None

CVE-2026-13918 - Chromium: CVE-2026-13918 Use after free in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13918
MITRE
NVD
CVE Title: Chromium: CVE-2026-13918 Use after free in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13918
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13918 None

CVE-2026-13924 - Chromium: CVE-2026-13924 Insufficient validation of untrusted input in WebView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13924
MITRE
NVD
CVE Title: Chromium: CVE-2026-13924 Insufficient validation of untrusted input in WebView
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13924
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13924 None

CVE-2026-13929 - Chromium: CVE-2026-13929 Insufficient validation of untrusted input in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13929
MITRE
NVD
CVE Title: Chromium: CVE-2026-13929 Insufficient validation of untrusted input in DevTools
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:15    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13929
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13929 None

CVE-2026-13932 - Chromium: CVE-2026-13932 Inappropriate implementation in Sharing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13932
MITRE
NVD
CVE Title: Chromium: CVE-2026-13932 Inappropriate implementation in Sharing
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13932
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13932 None

CVE-2026-13936 - Chromium: CVE-2026-13936 Inappropriate implementation in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13936
MITRE
NVD
CVE Title: Chromium: CVE-2026-13936 Inappropriate implementation in Passwords
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:18    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13936
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13936 None

CVE-2026-13943 - Chromium: CVE-2026-13943 Uninitialized Use in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13943
MITRE
NVD
CVE Title: Chromium: CVE-2026-13943 Uninitialized Use in CSS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:21    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13943
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13943 None

CVE-2026-13939 - Chromium: CVE-2026-13939 Insufficient validation of untrusted input in WebShare

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13939
MITRE
NVD
CVE Title: Chromium: CVE-2026-13939 Insufficient validation of untrusted input in WebShare
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13939
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13939 None

CVE-2026-13944 - Chromium: CVE-2026-13944 Inappropriate implementation in DataTransfer

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13944
MITRE
NVD
CVE Title: Chromium: CVE-2026-13944 Inappropriate implementation in DataTransfer
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:42    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13944
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13944 None

CVE-2026-13946 - Chromium: CVE-2026-13946 Inappropriate implementation in ScriptInjections

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13946
MITRE
NVD
CVE Title: Chromium: CVE-2026-13946 Inappropriate implementation in ScriptInjections
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13946
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13946 None

CVE-2026-13949 - Chromium: CVE-2026-13949 Insufficient policy enforcement in Payments

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13949
MITRE
NVD
CVE Title: Chromium: CVE-2026-13949 Insufficient policy enforcement in Payments
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13949
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13949 None

CVE-2026-13955 - Chromium: CVE-2026-13955 Insufficient validation of untrusted input in CustomTabs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13955
MITRE
NVD
CVE Title: Chromium: CVE-2026-13955 Insufficient validation of untrusted input in CustomTabs
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13955
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13955 None

CVE-2026-13927 - Chromium: CVE-2026-13927 Insufficient validation of untrusted input in UI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13927
MITRE
NVD
CVE Title: Chromium: CVE-2026-13927 Insufficient validation of untrusted input in UI
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13927
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13927 None

CVE-2026-13964 - Chromium: CVE-2026-13964 Insufficient policy enforcement in WebView

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13964
MITRE
NVD
CVE Title: Chromium: CVE-2026-13964 Insufficient policy enforcement in WebView
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13964
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13964 None

CVE-2026-13969 - Chromium: CVE-2026-13969 Uninitialized Use in UI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13969
MITRE
NVD
CVE Title: Chromium: CVE-2026-13969 Uninitialized Use in UI
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:26    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13969
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13969 None

CVE-2026-13975 - Chromium: CVE-2026-13975 Out of bounds read in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13975
MITRE
NVD
CVE Title: Chromium: CVE-2026-13975 Out of bounds read in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13975
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13975 None

CVE-2026-13974 - Chromium: CVE-2026-13974 Integer overflow in Safe Browsing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13974
MITRE
NVD
CVE Title: Chromium: CVE-2026-13974 Integer overflow in Safe Browsing
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13974
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13974 None

CVE-2026-13981 - Chromium: CVE-2026-13981 Inappropriate implementation in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13981
MITRE
NVD
CVE Title: Chromium: CVE-2026-13981 Inappropriate implementation in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13981
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13981 None

CVE-2026-13980 - Chromium: CVE-2026-13980 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13980
MITRE
NVD
CVE Title: Chromium: CVE-2026-13980 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:32    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13980
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13980 None

CVE-2026-13987 - Chromium: CVE-2026-13987 Incorrect security UI in Mobile

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13987
MITRE
NVD
CVE Title: Chromium: CVE-2026-13987 Incorrect security UI in Mobile
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:27    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13987
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13987 None

CVE-2026-13991 - Chromium: CVE-2026-13991 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13991
MITRE
NVD
CVE Title: Chromium: CVE-2026-13991 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13991
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13991 None

CVE-2026-13992 - Chromium: CVE-2026-13992 Inappropriate implementation in UI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13992
MITRE
NVD
CVE Title: Chromium: CVE-2026-13992 Inappropriate implementation in UI
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13992
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13992 None

CVE-2026-13994 - Chromium: CVE-2026-13994 Inappropriate implementation in Credential Management

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13994
MITRE
NVD
CVE Title: Chromium: CVE-2026-13994 Inappropriate implementation in Credential Management
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13994
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13994 None

CVE-2026-13995 - Chromium: CVE-2026-13995 Insufficient validation of untrusted input in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13995
MITRE
NVD
CVE Title: Chromium: CVE-2026-13995 Insufficient validation of untrusted input in Autofill
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:29    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13995
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13995 None

CVE-2026-13983 - Chromium: CVE-2026-13983 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13983
MITRE
NVD
CVE Title: Chromium: CVE-2026-13983 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:34    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13983
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13983 None

CVE-2026-13997 - Chromium: CVE-2026-13997 Incorrect security UI in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13997
MITRE
NVD
CVE Title: Chromium: CVE-2026-13997 Incorrect security UI in Extensions
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13997
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13997 None

CVE-2026-13998 - Chromium: CVE-2026-13998 Incorrect security UI in File Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13998
MITRE
NVD
CVE Title: Chromium: CVE-2026-13998 Incorrect security UI in File Input
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13998
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13998 None

CVE-2026-14005 - Chromium: CVE-2026-14005 Use after free in Omnibox

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14005
MITRE
NVD
CVE Title: Chromium: CVE-2026-14005 Use after free in Omnibox
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:32    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14005
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14005 None

CVE-2026-14028 - Chromium: CVE-2026-14028 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14028
MITRE
NVD
CVE Title: Chromium: CVE-2026-14028 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14028
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14028 None

CVE-2026-14066 - Chromium: CVE-2026-14066 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14066
MITRE
NVD
CVE Title: Chromium: CVE-2026-14066 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14066
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14066 None

CVE-2026-14067 - Chromium: CVE-2026-14067 Use after free in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14067
MITRE
NVD
CVE Title: Chromium: CVE-2026-14067 Use after free in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14067
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14067 None

CVE-2026-14075 - Chromium: CVE-2026-14075 Policy bypass in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14075
MITRE
NVD
CVE Title: Chromium: CVE-2026-14075 Policy bypass in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14075
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14075 None

CVE-2026-14096 - Chromium: CVE-2026-14096 Object lifecycle issue in Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14096
MITRE
NVD
CVE Title: Chromium: CVE-2026-14096 Object lifecycle issue in Input
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14096
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14096 None

CVE-2026-14099 - Chromium: CVE-2026-14099 Use after free in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14099
MITRE
NVD
CVE Title: Chromium: CVE-2026-14099 Use after free in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14099
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14099 None

CVE-2026-14101 - Chromium: CVE-2026-14101 Insufficient policy enforcement in Sandbox

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14101
MITRE
NVD
CVE Title: Chromium: CVE-2026-14101 Insufficient policy enforcement in Sandbox
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:49    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14101
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14101 None

CVE-2026-14114 - Chromium: CVE-2026-14114 Inappropriate implementation in WebAppInstalls

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14114
MITRE
NVD
CVE Title: Chromium: CVE-2026-14114 Inappropriate implementation in WebAppInstalls
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14114
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14114 None

CVE-2026-14123 - Chromium: CVE-2026-14123 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14123
MITRE
NVD
CVE Title: Chromium: CVE-2026-14123 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14123
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14123 None

CVE-2026-14126 - Chromium: CVE-2026-14126 Incorrect security UI in UI

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14126
MITRE
NVD
CVE Title: Chromium: CVE-2026-14126 Incorrect security UI in UI
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14126
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14126 None

CVE-2026-14128 - Chromium: CVE-2026-14128 Insufficient data validation in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14128
MITRE
NVD
CVE Title: Chromium: CVE-2026-14128 Insufficient data validation in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:45    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14128
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14128 None

CVE-2026-14136 - Chromium: CVE-2026-14136 Incorrect security UI in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14136
MITRE
NVD
CVE Title: Chromium: CVE-2026-14136 Incorrect security UI in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:46    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14136
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14136 None

CVE-2026-14385 - Chromium: CVE-2026-14385 Heap buffer overflow in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14385
MITRE
NVD
CVE Title: Chromium: CVE-2026-14385 Heap buffer overflow in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14385
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14385 None

CVE-2026-14137 - Chromium: CVE-2026-14137 Insufficient validation of untrusted input in Chrome for iOS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14137
MITRE
NVD
CVE Title: Chromium: CVE-2026-14137 Insufficient validation of untrusted input in Chrome for iOS
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:40:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14137
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14137 None

CVE-2026-14382 - Chromium: CVE-2026-14382 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14382
MITRE
NVD
CVE Title: Chromium: CVE-2026-14382 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14382
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14382 None

CVE-2026-14386 - Chromium: CVE-2026-14386 Out of bounds read in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14386
MITRE
NVD
CVE Title: Chromium: CVE-2026-14386 Out of bounds read in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:52    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14386
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14386 None

CVE-2026-14388 - Chromium: CVE-2026-14388 Out of bounds read in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14388
MITRE
NVD
CVE Title: Chromium: CVE-2026-14388 Out of bounds read in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14388
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14388 None

CVE-2026-14390 - Chromium: CVE-2026-14390 Use after free in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14390
MITRE
NVD
CVE Title: Chromium: CVE-2026-14390 Use after free in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14390
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14390 None

CVE-2026-14392 - Chromium: CVE-2026-14392 Out of bounds write in Tint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14392
MITRE
NVD
CVE Title: Chromium: CVE-2026-14392 Out of bounds write in Tint
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14392
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14392 None

CVE-2026-14393 - Chromium: CVE-2026-14393 Use after free in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14393
MITRE
NVD
CVE Title: Chromium: CVE-2026-14393 Use after free in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14393
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14393 None

CVE-2026-14391 - Chromium: CVE-2026-14391 Integer overflow in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14391
MITRE
NVD
CVE Title: Chromium: CVE-2026-14391 Integer overflow in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14391
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14391 None

CVE-2026-14395 - Chromium: CVE-2026-14395 Out of bounds write in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14395
MITRE
NVD
CVE Title: Chromium: CVE-2026-14395 Out of bounds write in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:40    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14395
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14395 None

CVE-2026-14396 - Chromium: CVE-2026-14396 Out of bounds read in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14396
MITRE
NVD
CVE Title: Chromium: CVE-2026-14396 Out of bounds read in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14396
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14396 None

CVE-2026-14394 - Chromium: CVE-2026-14394 Use after free in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14394
MITRE
NVD
CVE Title: Chromium: CVE-2026-14394 Use after free in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:39    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14394
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14394 None

CVE-2026-14398 - Chromium: CVE-2026-14398 Use after free in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14398
MITRE
NVD
CVE Title: Chromium: CVE-2026-14398 Use after free in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:41    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14398
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14398 None

CVE-2026-14397 - Chromium: CVE-2026-14397 Out of bounds write in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14397
MITRE
NVD
CVE Title: Chromium: CVE-2026-14397 Out of bounds write in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14397
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14397 None

CVE-2026-14399 - Chromium: CVE-2026-14399 Uninitialized Use in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14399
MITRE
NVD
CVE Title: Chromium: CVE-2026-14399 Uninitialized Use in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:43    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14399
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14399 None

CVE-2026-14401 - Chromium: CVE-2026-14401 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14401
MITRE
NVD
CVE Title: Chromium: CVE-2026-14401 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14401
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14401 None

CVE-2026-14400 - Chromium: CVE-2026-14400 Out of bounds write in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14400
MITRE
NVD
CVE Title: Chromium: CVE-2026-14400 Out of bounds write in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:44    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14400
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14400 None

CVE-2026-14403 - Chromium: CVE-2026-14403 Use after free in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14403
MITRE
NVD
CVE Title: Chromium: CVE-2026-14403 Use after free in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:47    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14403
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14403 None

CVE-2026-14406 - Chromium: CVE-2026-14406 Out of bounds read in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14406
MITRE
NVD
CVE Title: Chromium: CVE-2026-14406 Out of bounds read in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:51    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14406
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14406 None

CVE-2026-14404 - Chromium: CVE-2026-14404 Inappropriate implementation in PDFium

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14404
MITRE
NVD
CVE Title: Chromium: CVE-2026-14404 Inappropriate implementation in PDFium
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:48    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14404
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14404 None

CVE-2026-14402 - Chromium: CVE-2026-14402 Uninitialized Use in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14402
MITRE
NVD
CVE Title: Chromium: CVE-2026-14402 Uninitialized Use in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:45    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14402
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14402 None

CVE-2026-14405 - Chromium: CVE-2026-14405 Uninitialized Use in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14405
MITRE
NVD
CVE Title: Chromium: CVE-2026-14405 Uninitialized Use in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:50    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14405
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14405 None

CVE-2026-14407 - Chromium: CVE-2026-14407 Inappropriate implementation in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14407
MITRE
NVD
CVE Title: Chromium: CVE-2026-14407 Inappropriate implementation in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:53    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14407
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14407 None

CVE-2026-14409 - Chromium: CVE-2026-14409 Inappropriate implementation in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14409
MITRE
NVD
CVE Title: Chromium: CVE-2026-14409 Inappropriate implementation in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14409
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14409 None

CVE-2026-14408 - Chromium: CVE-2026-14408 Uninitialized Use in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14408
MITRE
NVD
CVE Title: Chromium: CVE-2026-14408 Uninitialized Use in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:54    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14408
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14408 None

CVE-2026-14411 - Chromium: CVE-2026-14411 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14411
MITRE
NVD
CVE Title: Chromium: CVE-2026-14411 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14411
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14411 None

CVE-2026-14410 - Chromium: CVE-2026-14410 Inappropriate implementation in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14410
MITRE
NVD
CVE Title: Chromium: CVE-2026-14410 Inappropriate implementation in Skia
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:56    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14410
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14410 None

CVE-2026-14412 - Chromium: CVE-2026-14412 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14412
MITRE
NVD
CVE Title: Chromium: CVE-2026-14412 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:37:59    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14412
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14412 None

CVE-2026-14413 - Chromium: CVE-2026-14413 Uninitialized Use in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14413
MITRE
NVD
CVE Title: Chromium: CVE-2026-14413 Uninitialized Use in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14413
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14413 None

CVE-2026-14414 - Chromium: CVE-2026-14414 Insufficient validation of untrusted input in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14414
MITRE
NVD
CVE Title: Chromium: CVE-2026-14414 Insufficient validation of untrusted input in Skia
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:02    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14414
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14414 None

CVE-2026-14415 - Chromium: CVE-2026-14415 Inappropriate implementation in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14415
MITRE
NVD
CVE Title: Chromium: CVE-2026-14415 Inappropriate implementation in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:03    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14415
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14415 None

CVE-2026-14416 - Chromium: CVE-2026-14416 Out of bounds read in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14416
MITRE
NVD
CVE Title: Chromium: CVE-2026-14416 Out of bounds read in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:04    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14416
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14416 None

CVE-2026-14417 - Chromium: CVE-2026-14417 Use after free in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14417
MITRE
NVD
CVE Title: Chromium: CVE-2026-14417 Use after free in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:05    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14417
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14417 None

CVE-2026-14420 - Chromium: CVE-2026-14420 Out of bounds read and write in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14420
MITRE
NVD
CVE Title: Chromium: CVE-2026-14420 Out of bounds read and write in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:09    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14420
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14420 None

CVE-2026-14418 - Chromium: CVE-2026-14418 Uninitialized Use in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14418
MITRE
NVD
CVE Title: Chromium: CVE-2026-14418 Uninitialized Use in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:07    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14418
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14418 None

CVE-2026-14419 - Chromium: CVE-2026-14419 Use after free in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14419
MITRE
NVD
CVE Title: Chromium: CVE-2026-14419 Use after free in Skia
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:08    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14419
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14419 None

CVE-2026-14422 - Chromium: CVE-2026-14422 Out of bounds read and write in Tint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14422
MITRE
NVD
CVE Title: Chromium: CVE-2026-14422 Out of bounds read and write in Tint
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:55    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14422
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14422 None

CVE-2026-14423 - Chromium: CVE-2026-14423 Type Confusion in Tint

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14423
MITRE
NVD
CVE Title: Chromium: CVE-2026-14423 Type Confusion in Tint
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14423
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14423 None

CVE-2026-14421 - Chromium: CVE-2026-14421 Uninitialized Use in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14421
MITRE
NVD
CVE Title: Chromium: CVE-2026-14421 Uninitialized Use in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:25    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14421
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14421 None

CVE-2026-14424 - Chromium: CVE-2026-14424 Use after free in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14424
MITRE
NVD
CVE Title: Chromium: CVE-2026-14424 Use after free in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:39:57    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14424
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14424 None

CVE-2026-14425 - Chromium: CVE-2026-14425 Use after free in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14425
MITRE
NVD
CVE Title: Chromium: CVE-2026-14425 Use after free in ANGLE
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14425
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14425 None

CVE-2026-14426 - Chromium: CVE-2026-14426 Use after free in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14426
MITRE
NVD
CVE Title: Chromium: CVE-2026-14426 Use after free in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14426
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14426 None

CVE-2026-14427 - Chromium: CVE-2026-14427 Heap buffer overflow in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14427
MITRE
NVD
CVE Title: Chromium: CVE-2026-14427 Heap buffer overflow in Skia
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14427
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14427 None

CVE-2026-14428 - Chromium: CVE-2026-14428 Insufficient validation of untrusted input in Dawn

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14428
MITRE
NVD
CVE Title: Chromium: CVE-2026-14428 Insufficient validation of untrusted input in Dawn
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:41:38    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14428
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14428 None

CVE-2026-14429 - Chromium: CVE-2026-14429 Insufficient validation of untrusted input in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14429
MITRE
NVD
CVE Title: Chromium: CVE-2026-14429 Insufficient validation of untrusted input in Skia
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14429
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14429 None

CVE-2026-14430 - Chromium: CVE-2026-14430 Integer overflow in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14430
MITRE
NVD
CVE Title: Chromium: CVE-2026-14430 Integer overflow in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14430
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14430 None

CVE-2026-14432 - Chromium: CVE-2026-14432 Use after free in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14432
MITRE
NVD
CVE Title: Chromium: CVE-2026-14432 Use after free in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14432
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14432 None

CVE-2026-14431 - Chromium: CVE-2026-14431 Type Confusion in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14431
MITRE
NVD
CVE Title: Chromium: CVE-2026-14431 Type Confusion in V8
Description:

This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T15:38:18    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14431
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14431 None

CVE-2026-50652 - Azure Active Directory Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50652
MITRE
NVD
CVE Title: Azure Active Directory Denial of Service Vulnerability
Description:

Deserialization of untrusted data in Azure Active Directory allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50652
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure Active Directory Release Notes (Security Update)
Release Notes (Security Update)
Release Notes (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50652 Vandit Aruldas with Microsoft


CVE-2026-50653 - Azure Active Directory Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50653
MITRE
NVD
CVE Title: Azure Active Directory Denial of Service Vulnerability
Description:

Loop with unreachable exit condition ('infinite loop') in Azure Active Directory allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50653
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure Active Directory Release Notes (Security Update)
Release Notes (Security Update)
Release Notes (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50653 Sridhar Periyasamy


CVE-2026-33842 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-33842
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an address from an object operating at a High Integrity Level in a contained ("sandboxed") execution environment.

Please refer to AppContainer isolation and Mandatory Integrity Control for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-33842
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-33842 David Zhu with Microsoft


Anonymous


CVE-2026-34328 - Windows Audio Service Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-34328
MITRE
NVD
CVE Title: Windows Audio Service Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Audio Service allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory addresses belonging to the "EventLog" Windows service


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-34328
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-34328 David Zhu with Microsoft


CVE-2026-40422 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40422
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an address from an object operating at a High Integrity Level in a contained ("sandboxed") execution environment.

Please refer to AppContainer isolation and Mandatory Integrity Control for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40422
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40422 David Zhu with Microsoft


CVE-2026-41087 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-41087
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an address from an object operating at a High Integrity Level in a contained ("sandboxed") execution environment.

Please refer to AppContainer isolation and Mandatory Integrity Control for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-41087
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-41087 David Zhu with Microsoft


CVE-2026-40400 - Windows PowerShell Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40400
MITRE
NVD
CVE Title: Windows PowerShell Remote Code Execution Vulnerability
Description:

Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires an authenticated client to click a link so that an unauthenticated attacker can initiate remote code execution.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40400
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40400 Quan Le from Unit 515 - OPSWAT


Saif Shaker


Peng Zhou (zpbrent)


Anindya Roy


Rayhan Destian


Rayhan Destian


Charlie Vogt


Michael Monwuba with Microsoft




MinhNV5 with MBBank


PuH4ck3rX


PuH4ck3rX with W&M


YMsora


Jishnu Sudhakaran


Ky0toFu


Povcfe


Daniel R


Anonymous


TrendAI Zero Day Initiative


TrendAI Zero Day Initiative




Charlie Vogt




CVE-2026-34348 - Windows Event Logging Service Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-34348
MITRE
NVD
CVE Title: Windows Event Logging Service Information Disclosure Vulnerability
Description:

Protection mechanism failure in Windows Event Logging Service allows an authorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-34348
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5089548 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-34348 Michael Grafnetter with SpecterOps


Anonymous


CVE-2026-44806 - Windows Secure Channel Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-44806
MITRE
NVD
CVE Title: Windows Secure Channel Denial of Service Vulnerability
Description:

Missing release of memory after effective lifetime in Windows Cryptographic Services allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-44806
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-44806 Anonymous




Microsoft


CVE-2026-40378 - Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40378
MITRE
NVD
CVE Title: Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
Description:

Memory allocation with excessive size value in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40378
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40378 WARP & MORSE teams at Microsoft


CVE-2026-47304 - .NET Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47304
MITRE
NVD
CVE Title: .NET Security Feature Bypass Vulnerability
Description:

Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The authentication feature could be bypassed as this vulnerability allows impersonation.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47304
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Security Feature Bypass None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Security Feature Bypass None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Security Feature Bypass None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47304 Levi Broderick


CVE-2026-44800 - Windows Push Notifications Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-44800
MITRE
NVD
CVE Title: Windows Push Notifications Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to a contained execution environment escape. Please refer to AppContainer Isolation for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-44800
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-44800 Anonymous


CVE-2026-47632 - Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47632
MITRE
NVD
CVE Title: Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability
Description:

Improper certificate validation in Azure Monitor Agent allows an unauthorized attacker to elevate privileges over an adjacent network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain ELEVATED privileges, which may allow them to perform actions beyond their original permissions.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47632
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure Monitor Agent Metrics Extension Release Notes (Security Update - Windows)
Release Notes (Security Update - Linux)
Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47632 Gal Azaria with Microsoft


CVE-2026-48564 - DHCP Server Service Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-48564
MITRE
NVD
CVE Title: DHCP Server Service Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows DHCP Server allows an authorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An authenticated attacker could leverage a specially crafted RPC call to the DHCP service to exploit this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-48564
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5094042 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5094042 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5094041 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5094041 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-48564 Howard McGreehan with MSRC V&M


WARP and ACS teams at Microsoft


CVE-2026-48581 - Surface Broker SDMA Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-48581
MITRE
NVD
CVE Title: Surface Broker SDMA Elevation of Privilege Vulnerability
Description:

Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


What actions do customers need to perform to be protected against this vulnerability?

Surface devices get updates through Windows Update. See Surface update history for more information.

If you wish to install the updates manually, you can do the following:

  1. In the Surface app, expand Help & support to check the update status.
  2. If there are updates available, select the Check for updates button to open Windows Update and install the available updates.

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-48581
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Surface Go 2 Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Go 3 Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Hub Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Hub 2S Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Hub 3 Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Laptop Go Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Laptop Go 2 Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Laptop Go 3 Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Pro 7+ Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Microsoft Surface Pro 8 Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Surface Laptop 4 with AMD Processor Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Surface Laptop 4 with Intel Processor Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown
Surface Windows Dev Kit Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-48581 JC with Splinters.io


CVE-2026-45646 - OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-45646
MITRE
NVD
CVE Title: OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-45646
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft.AspNet.OData Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft.AspNetCore.OData Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-45646 Anonymous


Anonymous


CVE-2026-49178 - Windows Active Directory Domain Services Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49178
MITRE
NVD
CVE Title: Windows Active Directory Domain Services Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

A domain‑authenticated attacker with access to the NSPI RPC interface can provide crafted inputs that trigger an out‑of‑bounds write in the directory service process, leading to memory corruption/remote code execution.


According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


How could an attacker exploit the vulnerability?

An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49178
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49178 Microsoft


CVE-2026-49180 - Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49180
MITRE
NVD
CVE Title: Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability
Description:

Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49180
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49180 Siva Jyoshna Poreddy


CVE-2026-49181 - Windows DHCP Client Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49181
MITRE
NVD
CVE Title: Windows DHCP Client Elevation of Privilege Vulnerability
Description:

Integer underflow (wrap or wraparound) in Windows DHCP Client allows an unauthorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49181
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49181 Jay Ladhad with Microsoft


CVE-2026-49184 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49184
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49184
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49184 pwn2addr


0rb1t with None


Qanux with None


Donghyeon Oh with Patchpoint


Jonghoi Kim


Anonymous


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract


yhw & txz


Anonymous


Minjea Park with Stealien


R4nger with Kunlun Lab & Zhiniang Peng with HUST


Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-49183 - Windows Clipboard Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49183
MITRE
NVD
CVE Title: Windows Clipboard Server Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Clipboard Server allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49183
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49183 Jongseong Kim (nevul37), SEC-agent team


Hwiwon Lee (hwiwonl), SEC-agent team


Younggi Park (grill66), SEC-agent team


Pwnforr777


Anonymous


CVE-2026-49783 - Secure Boot Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49783
MITRE
NVD
CVE Title: Secure Boot Security Feature Bypass Vulnerability
Description:

Improperly implemented security check for standard in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An attacker who successfully exploited this vulnerability could bypass Secure Boot.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49783
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49783 Anonymous


CVE-2026-49787 - HTTP.sys Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49787
MITRE
NVD
CVE Title: HTTP.sys Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49787
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49787 Miha Zupan with Microsoft


CVE-2026-49788 - HTTP/2 Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49788
MITRE
NVD
CVE Title: HTTP/2 Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in HTTP/2 allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49788
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49788 Miha Zupan with Microsoft


CVE-2026-49789 - Windows NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49789
MITRE
NVD
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description:

Stack-based buffer overflow in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49789
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49789 Thanatos Tian (HKPolyu) & wgg & @2st__ with Diffract


R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-49790 - Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49790
MITRE
NVD
CVE Title: Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49790
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49790 Thanatos Tian (HKPolyU) & npc0vo & wgg & PB18 & @2st__ with Diffract


Hank Chen with InnoEdge Labs


CVE-2026-49791 - Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49791
MITRE
NVD
CVE Title: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
Description:

Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49791
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49791 BochengXiang(@Crispr) with FDU


CVE-2026-49792 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49792
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Numeric truncation error in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49792
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49792 Dewang Ahluwalia


Jonghoi Kim


Donghyeon Oh with Patchpoint


CVE-2026-49793 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49793
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49793
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49793 Dewang Ahluwalia


CVE-2026-49794 - Windows USB Audio Class Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49794
MITRE
NVD
CVE Title: Windows USB Audio Class Driver Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49794
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49794 Seung Chan Kim


Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-49796 - Windows GDI+ Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49796
MITRE
NVD
CVE Title: Windows GDI+ Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49796
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49796 Anonymous


CVE-2026-49795 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49795
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49795
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49795 Kentaro Kawane with GMO Cybersecurity by Ierae, Inc.


CVE-2026-49797 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49797
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49797
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49797 Thanatos Tian & wgg & @2st__ with Diffract


CVE-2026-49798 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49798
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


How could an attacker exploit this vulnerability?

An attacker could run a specially crafted program on a local system that triggers the vulnerable function while a menu is being processed, causing the system to use memory that has already been freed. This can result in memory corruption, which an attacker may use to run malicious code.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49798
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 9.3
Temporal: 8.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49798 Anonymous


Jongseong Kim (nevul37), SEC-agent team


Hwiwon Lee (hwiwonl), SEC-agent team


Younggi Park (grill66), SEC-agent team


Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-50299 - Windows Storage Spaces Direct Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50299
MITRE
NVD
CVE Title: Windows Storage Spaces Direct Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50299
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50299 Anonymous


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


CVE-2026-49800 - Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49800
MITRE
NVD
CVE Title: Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49800
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49800 nerty with Theori


z1r0


Anonymous


Dongjun Lee (m0nd2y) with KAIST Hacking Lab


TwinkleStar03 with DEVCORE Internship Program


Brandon Fisher


Brandon Fisher


Dongjun Lee (m0nd2y) with KAIST Hacking Lab


Dongjun Lee with KAIST Hacking Lab


nerty with Theori


nerty with Theori


Anonymous


k0shl


021w with Vulnerability Research Institute


CVE-2026-49799 - Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49799
MITRE
NVD
CVE Title: Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
Description:

Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49799
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49799 Yehuda Smirnov with Microsoft


Naor Evgi with White-Hat LTD


Noam Pomerantz with CyberWallGlobal LTD


CVE-2026-50308 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50308
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Integer underflow (wrap or wraparound) in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50308
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50308 Jianliang Zhao & Zhiniang Peng with HUST


CVE-2026-50311 - Windows Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50311
MITRE
NVD
CVE Title: Windows Server Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Server allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50311
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50311 mad31k working with TrendAI Zero Day Initiative


CVE-2026-49804 - Windows USB Video Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49804
MITRE
NVD
CVE Title: Windows USB Video Driver Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49804
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.6
Temporal: 5.8
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49804 pwn2addr


CVE-2026-50294 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50294
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50294
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50294 Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-50333 - Windows Spaceport.sys Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50333
MITRE
NVD
CVE Title: Windows Spaceport.sys Elevation of Privilege Vulnerability
Description:

Missing authentication for critical function in Windows Spaceport.sys allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50333
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50333 zickzick2


kaymin0128


zickzick2


Nathaniel Oh (@calysteon)


Hae Seong Cho (yurok)


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


kang


kang


CVE-2026-49801 - Windows SMB Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49801
MITRE
NVD
CVE Title: Windows SMB Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49801
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49801 sweetchip


CVE-2026-49802 - Windows USB Print Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49802
MITRE
NVD
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49802
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49802 AIフィジカルインターフェイス二号機


CVE-2026-49806 - Windows USB Print Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49806
MITRE
NVD
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49806
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49806 Anonymous


CVE-2026-49805 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49805
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49805
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49805 mad31k working with TrendAI Zero Day Initiative


CVE-2026-49803 - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49803
MITRE
NVD
CVE Title: Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows AppX Deployment Service allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49803
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49803 Anonymous


CVE-2026-50323 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50323
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50323
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50323 Anonymous


CVE-2026-50318 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50318
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description:

Stack-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50318
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50318 pwn2addr


Donghyeon Oh with Patchpoint


Jonghoi Kim


R4nger with Kunlun Lab & Zhiniang Peng with HUST


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract


CVE-2026-50351 - Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50351
MITRE
NVD
CVE Title: Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Audio Compression Manager (ACM) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50351
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50351 XBreach.ai


Yehuda Smirnov with Microsoft


Naor Evgi with White-Hat LTD


CrowdStrike Advanced Research Team with CrowdStrike


Mateusz Garncarek with Digital-Missiles


Ali Toni with Al-Esraa University


pwn2addr


Andrea Bocchetti


Lydéric LEFEBVRE with Blackfield Security


Lydéric LEFEBVRE with Blackfield Security


Noam Pomerantz


Vishal Chauhan


CVE-2026-49807 - Windows DirectX Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49807
MITRE
NVD
CVE Title: Windows DirectX Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49807
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49807 Jmini with Stealien


CVE-2026-50342 - Windows MIDI Service Module Elevation of Privileges Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50342
MITRE
NVD
CVE Title: Windows MIDI Service Module Elevation of Privileges Vulnerability
Description:

Improper access control in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50342
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50342 ChengBin Wang with ZheJiang Guoli Security Technology


CVE-2026-50298 - Windows Spaceport.sys Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50298
MITRE
NVD
CVE Title: Windows Spaceport.sys Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50298
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50298 Nils Holten


Nils Holten


Anonymous


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


yhw & txz


CVE-2026-49808 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49808
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49808
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49808 Anonymous


CVE-2026-50293 - Windows Internal Task Bar Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50293
MITRE
NVD
CVE Title: Windows Internal Task Bar Elevation of Privilege Vulnerability
Description:

Use after free in Windows Internal Task Bar allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50293
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50293 Anonymous


CVE-2026-50316 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50316
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50316
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50316 Aman


CVE-2026-50354 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50354
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50354
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50354 Seung Chan Kim


yhw & txz


CVE-2026-50296 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50296
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Graphics Kernel allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50296
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50296 Divya


CVE-2026-50297 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50297
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50297
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50297 TrendAI Zero Day Initiative


CVE-2026-50325 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50325
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50325
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50325 TrendAI Zero Day Initiative


CVE-2026-50356 - Microsoft Windows App Store Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50356
MITRE
NVD
CVE Title: Microsoft Windows App Store Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Windows App Store allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50356
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50356 Anonymous


CVE-2026-50384 - Windows Clip Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50384
MITRE
NVD
CVE Title: Windows Clip Service Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Clip Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50384
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50384 Jongseong Kim (nevul37), SEC-agent team


Hwiwon Lee (hwiwonl), SEC-agent team


Younggi Park (grill66), SEC-agent team


Pwnforr777


Anonymous


CVE-2026-50295 - Windows Zero Trust DNS Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50295
MITRE
NVD
CVE Title: Windows Zero Trust DNS Security Feature Bypass Vulnerability
Description:

Improper privilege management in Microsoft Windows DNS allows an authorized attacker to bypass a security feature locally.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An attacker who successfully exploited this vulnerability could bypass Zero Trust DNS (ZTDNS) policy enforcement.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50295
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50295 ChenJian with Sea Security Orca Team


CVE-2026-50350 - Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50350
MITRE
NVD
CVE Title: Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50350
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50350 Yun Cong


CVE-2026-50381 - Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50381
MITRE
NVD
CVE Title: Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Composite Image File System Driver allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file metadata.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50381
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50381 YuilMuil(Yoon Jung Hyun)


CVE-2026-50300 - Windows DWM Core Library Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50300
MITRE
NVD
CVE Title: Windows DWM Core Library Information Disclosure Vulnerability
Description:

Integer underflow (wrap or wraparound) in Windows Kernel allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50300
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50300 Varun Goel


CVE-2026-50303 - Windows Key Guard Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50303
MITRE
NVD
CVE Title: Windows Key Guard Security Feature Bypass Vulnerability
Description:

Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The authentication feature could be bypassed as this vulnerability allows impersonation.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50303
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50303 Leshi Yang


CVE-2026-50364 - Windows Backup Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50364
MITRE
NVD
CVE Title: Windows Backup Service Elevation of Privilege Vulnerability
Description:

Improper link resolution before file access ('link following') in Windows Server Backup allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50364
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50364 AIフィジカルインターフェイス二号機


CVE-2026-50302 - Windows Cryptographic Services Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50302
MITRE
NVD
CVE Title: Windows Cryptographic Services Security Feature Bypass Vulnerability
Description:

Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An attacker can obtain keys, which could enable an attacker to partially bypass the application's cryptographic protections. Confidential information could be exposed to malicious users, including configuration data but not including personal information or credentials.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50302
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 4.2
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50302 Microsoft


CVE-2026-50332 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50332
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50332
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50332 deepsec with DARKNAVY


Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-50372 - Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50372
MITRE
NVD
CVE Title: Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
Description:

Buffer over-read in Windows Redirected Drive Buffering allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50372
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50372 grass341 with Viettel Cyber Security


CVE-2026-50305 - Microsoft Brokering File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50305
MITRE
NVD
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50305
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50305 hazard


CVE-2026-50329 - Microsoft DWM Core Library Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50329
MITRE
NVD
CVE Title: Microsoft DWM Core Library Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50329
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50329 Seung Chan Kim


CVE-2026-50363 - Windows Push Notifications Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50363
MITRE
NVD
CVE Title: Windows Push Notifications Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Push Notifications allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50363
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50363 Anonymous


CVE-2026-50392 - Windows Secure Kernel Mode Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50392
MITRE
NVD
CVE Title: Windows Secure Kernel Mode Elevation of Privilege Vulnerability
Description:

Use after free in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50392
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50392 Anonymous


CVE-2026-50304 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50304
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of availability (A:H). What does that mean for this vulnerability?

An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50304
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50304 Anonymous


CVE-2026-50328 - Windows Server Update Service (WSUS) Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50328
MITRE
NVD
CVE Title: Windows Server Update Service (WSUS) Tampering Vulnerability
Description:

Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of availability (A:H). What does that mean for this vulnerability?

An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50328
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Tampering None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50328 f7d8c52bec79e42795cf15888b85cbad


CVE-2026-50306 - Windows TCP/IP Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50306
MITRE
NVD
CVE Title: Windows TCP/IP Elevation of Privilege Vulnerability
Description:

Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50306
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50306 Microsoft


CVE-2026-50360 - Windows SMB Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50360
MITRE
NVD
CVE Title: Windows SMB Server Elevation of Privilege Vulnerability
Description:

Incorrect implementation of authentication algorithm in Windows SMB Server allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50360
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50360 Microsoft


CVE-2026-50393 - Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50393
MITRE
NVD
CVE Title: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50393
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50393 Matthew Cox with Microsof (internal)


Matthew Cox with Microsof (internal)


CVE-2026-50412 - Windows NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50412
MITRE
NVD
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description:

Stack-based buffer overflow in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50412
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50412 Microsoft Internal with Microsoft


Thanatos Tian & wgg & @2st__ with Diffract


Minjea Park


Jmini


Microsoft Red Team (MRT) with Microsoft


haowei yan & xiaozun tang


CVE-2026-50337 - Windows Notification Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50337
MITRE
NVD
CVE Title: Windows Notification Elevation of Privilege Vulnerability
Description:

Incorrect type conversion or cast in Windows Notification allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50337
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50337 Anonymous


CVE-2026-50386 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50386
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50386
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50386 Thanatos Tian & wgg & @2st__ with Diffract


Microsoft Red Team (MRT) with Microsoft


Anonymous


Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-50400 - Windows App Package Installer Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50400
MITRE
NVD
CVE Title: Windows App Package Installer Elevation of Privilege Vulnerability
Description:

Stack-based buffer overflow in Windows App Installer allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50400
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50400 Anonymous


CVE-2026-50309 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50309
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50309
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50309 Minjea Park


Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-50419 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50419
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50419
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50419 hazard


CVE-2026-50368 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50368
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50368
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50368 Anonymous


CVE-2026-50307 - Windows TCP/IP Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50307
MITRE
NVD
CVE Title: Windows TCP/IP Elevation of Privilege Vulnerability
Description:

Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50307
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50307 Microsoft


LC with VGCO - Vietnam Germany Connection


yhw & txz


CVE-2026-50326 - Windows Unified Consent System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50326
MITRE
NVD
CVE Title: Windows Unified Consent System Elevation of Privilege Vulnerability
Description:

Use after free in Windows Unified Consent System allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50326
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50326 Anonymous


CVE-2026-50313 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50313
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50313
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50313 R4nger with Kunlun Lab & Zhiniang Peng with HUST


Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-50440 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50440
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Audio Service allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50440
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50440 Aobo Wang


CVE-2026-50380 - Windows GDI+ Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50380
MITRE
NVD
CVE Title: Windows GDI+ Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by convincing a user to open or process a specially crafted EMF+ file that contains a malicious image record. When the file is rendered, the system may incorrectly handle the image data, causing it to write beyond the bounds of allocated memory and corrupt adjacent memory structures.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50380
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50380 Seung Chan Kim


CVE-2026-50327 - Windows Media Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50327
MITRE
NVD
CVE Title: Windows Media Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50327
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50327 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-50341 - Windows NTFS Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50341
MITRE
NVD
CVE Title: Windows NTFS Information Disclosure Vulnerability
Description:

Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50341
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50341 Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract


Rahul Hoysala with OSI


CVE-2026-50407 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50407
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50407
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50407 yhw & txz


Thunder_J


pwn2addr


Thanatos Tian & wgg & @2st__ with Diffract


CVE-2026-50331 - Windows Application Model Core API Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50331
MITRE
NVD
CVE Title: Windows Application Model Core API Elevation of Privilege Vulnerability
Description:

Use after free in Windows Application Model allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50331
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50331 Anonymous


CVE-2026-50343 - Microsoft Install Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50343
MITRE
NVD
CVE Title: Microsoft Install Service Elevation of Privilege Vulnerability
Description:

Improper privilege management in Microsoft Install Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50343
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50343 pwnky


Noam Pomerantz with Cyberwallglobal


Yehuda Smirnov with Microsoft


Naor Evgi with White-Hat LTD


Andrea Bocchetti


ChengBin Wang with ZheJiang Guoli Security Technology


Anonymous with SSD Secure Disclosure


Daniel Wade with nadsec


Anonymous


yhw & txz


CVE-2026-50396 - Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50396
MITRE
NVD
CVE Title: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50396
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50396 grass341 with Viettel Cyber Security


CVE-2026-50370 - DHCP Server Service Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50370
MITRE
NVD
CVE Title: DHCP Server Service Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over an adjacent network.


FAQ:

How could an attacker exploit this vulnerability?

An authenticated user could exploit this vulnerability by sending specially crafted network traffic to a server configured for use as a Dynamic Host Configuration Protocol (DHCP) Server.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50370
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50370 Linzishan & Anemone & Zhiniang Peng (HUST)


CVE-2026-50347 - Windows Data.dll Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50347
MITRE
NVD
CVE Title: Windows Data.dll Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Data dll allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50347
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50347 Anonymous


CVE-2026-50321 - Windows USB Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50321
MITRE
NVD
CVE Title: Windows USB Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Driver allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50321
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50321 Kamil Leoniak at Delphos Labs Delphos Labs


Kamil Leoniak at Delphos Labs Delphos Labs


CVE-2026-50425 - Windows Internal System User Profile Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50425
MITRE
NVD
CVE Title: Windows Internal System User Profile Elevation of Privilege Vulnerability
Description:

Use after free in Windows Internal System User Profile allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50425
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50425 Vamshi Krishna Bolly


CVE-2026-50315 - Windows Image Acquisition Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50315
MITRE
NVD
CVE Title: Windows Image Acquisition Elevation of Privilege Vulnerability
Description:

Null pointer dereference in Windows Image Acquisition allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could use this vulnerability to elevate privileges from Medium Integrity Level to Local Service.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50315
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50315 h4urek with secsys lab


CVE-2026-50434 - Windows Push Notification Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50434
MITRE
NVD
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50434
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50434 Yun Cong


CVE-2026-50339 - Windows Push Notification Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50339
MITRE
NVD
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50339
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50339 Yun Cong


CVE-2026-50430 - Windows Push Notification Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50430
MITRE
NVD
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50430
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50430 Yun Cong


CVE-2026-50310 - Windows Human Interface Device Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50310
MITRE
NVD
CVE Title: Windows Human Interface Device Information Disclosure Vulnerability
Description:

Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.


What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50310
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50310 CrowdStrike Advanced Research Team with CrowdStrike


CVE-2026-50324 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50324
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50324
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50324 Anonymous


Anonymous


CVE-2026-50312 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50312
MITRE
NVD
CVE Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description:

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50312
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50312 Soon Oh with Microsoft


CVE-2026-50330 - Windows Remote Desktop Client Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50330
MITRE
NVD
CVE Title: Windows Remote Desktop Client Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to elevate privileges over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50330
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50330 Nicholas Vadasz


CVE-2026-50357 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50357
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description:

Numeric truncation error in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50357
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50357 Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-50377 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50377
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50377
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50377 Gabriela Kote with Microsoft


Seung Chan Kim


CVE-2026-50390 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50390
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50390
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50390 wisi


CVE-2026-50452 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50452
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an unauthorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50452
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50452 Anonymous


CVE-2026-50348 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50348
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an unauthorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50348
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50348 Anonymous


CVE-2026-50345 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50345
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50345
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50345 Anonymous


CVE-2026-50322 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50322
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50322
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50322 Anonymous


CVE-2026-50335 - Windows Operating Systems Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50335
MITRE
NVD
CVE Title: Windows Operating Systems Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Operating Systems allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50335
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50335 Tomer Peled with Akamai


CVE-2026-50375 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50375
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows DirectX allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50375
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50375 Anonymous


Azure Yang with Kunlun Lab


YuilMuil


esakis


Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


Anonymous


yhw & txz


CVE-2026-50361 - Microsoft Brokering File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50361
MITRE
NVD
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description:

Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50361
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50361 hazard


CVE-2026-50317 - Windows Operating Systems Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50317
MITRE
NVD
CVE Title: Windows Operating Systems Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Operating Systems allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50317
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50317 Anonymous


CVE-2026-50340 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50340
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50340
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.5
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50340 h4urek with secsys lab


Anonymous


CVE-2026-50404 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50404
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50404
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50404 Anonymous


CVE-2026-50366 - Windows Active Directory Domain Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50366
MITRE
NVD
CVE Title: Windows Active Directory Domain Services Denial of Service Vulnerability
Description:

Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50366
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50366 WARP and ACS teams at Microsoft


CVE-2026-50416 - Win32k Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50416
MITRE
NVD
CVE Title: Win32k Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50416
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 3.3
Temporal: 2.9
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50416 Minjea Park with Stealien


CrowdStrike Advanced Research Team with CrowdStrike


CVE-2026-50358 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50358
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Use after free in Windows Media allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50358
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50358 Anonymous


CVE-2026-50355 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50355
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50355
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50355 Anonymous


CVE-2026-50428 - Windows Container Isolation FS Filter Driver (unionfs.sys) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50428
MITRE
NVD
CVE Title: Windows Container Isolation FS Filter Driver (unionfs.sys) Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Container Isolation FS Filter Driver (unionfs.sys) allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50428
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50428 Anonymous


CVE-2026-50373 - Windows Search Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50373
MITRE
NVD
CVE Title: Windows Search Service Elevation of Privilege Vulnerability
Description:

Improper access control in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50373
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50373 Yun Cong


CVE-2026-50353 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50353
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50353
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50353 SnowRockLab


CVE-2026-50388 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50388
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Out-of-bounds read in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50388
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50388 Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-50410 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50410
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50410
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50410 Anonymous


CVE-2026-50449 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50449
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50449
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50449 Anonymous


CVE-2026-50371 - Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50371
MITRE
NVD
CVE Title: Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows LUAFV allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50371
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50371 Nguyễn Văn Thiện


LC with VGCO - Vietnam Germany Connection


CVE-2026-50336 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50336
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Media allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50336
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50336 Anonymous


CVE-2026-50398 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50398
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50398
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50398 Anonymous


CVE-2026-50414 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50414
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50414
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50414 Anonymous


CVE-2026-50379 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50379
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50379
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50379 Anonymous


CVE-2026-50463 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50463
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Kernel allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50463
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50463 Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract


Seung Chan Kim


CVE-2026-50460 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50460
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an unauthorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50460
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50460 Anonymous


h4urek with secsys lab


CVE-2026-50403 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50403
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50403
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50403 Anonymous


CVE-2026-50433 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50433
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Use after free in Windows Media allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50433
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50433 Angelboy (@scwuaptx) with DEVCORE


CVE-2026-50391 - Windows Group Policy Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50391
MITRE
NVD
CVE Title: Windows Group Policy Elevation of Privilege Vulnerability
Description:

Improper privilege management in Windows Group Policy allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50391
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50391 Filip Dragović


CVE-2026-50418 - Windows System Secure Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50418
MITRE
NVD
CVE Title: Windows System Secure Feature Bypass Vulnerability
Description:

Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The authentication feature could be bypassed as this vulnerability allows impersonation.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50418
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 5.1
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50418 Anonymous


CVE-2026-50423 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50423
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Improper access control in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50423
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50423 Filip Dragović


CVE-2026-50378 - Windows Key Guard Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50378
MITRE
NVD
CVE Title: Windows Key Guard Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Key Guard allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50378
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50378 Leshi Yang


CVE-2026-50401 - Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50401
MITRE
NVD
CVE Title: Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50401
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50401 RanchoIce


CVE-2026-50346 - Netlogon RPC Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50346
MITRE
NVD
CVE Title: Netlogon RPC Elevation of Privilege Vulnerability
Description:

Improper authorization in RPC Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50346
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50346 Howard McGreehan with MSRC V&M


CVE-2026-50376 - Windows Remote Desktop Client Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50376
MITRE
NVD
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

This attack requires a victim user on the client to enable Remote Audio Playback and Recording and connect to a malicious server.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50376
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50376 YingQi Shi with DBAPPSecurity WeBin Lab


CVE-2026-50397 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50397
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

For an attacker to exploit this vulnerability, they would need to have knowledge of a specific operation that triggers a memory allocation failure, specifically a use after free.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50397
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50397 hazard


CVE-2026-50405 - Windows Filtering Platform Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50405
MITRE
NVD
CVE Title: Windows Filtering Platform Elevation of Privilege Vulnerability
Description:

Insufficient granularity of access control in Windows Filtering Platform (WFP) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50405
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50405 Prayas(Pro bear)


CVE-2026-50448 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50448
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A user would need to mount a .vhd file to be compromised by the attacker.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50448
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50448 Donghyeon Oh with Patchpoint


Jonghoi Kim


R4nger with Kunlun Lab & Zhiniang Peng with HUST


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


Minjea Park


CVE-2026-50387 - Windows GDI Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50387
MITRE
NVD
CVE Title: Windows GDI Elevation of Privilege Vulnerability
Description:

Stack-based buffer overflow in Windows GDI allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50387
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 365 for Mac Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office for Android Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50387 Donghyeon Oh with Patchpoint


Jonghoi Kim


Anonymous


Kentaro Kawane with GMO Cybersecurity by Ierae, Inc.


CVE-2026-50334 - Windows Push Notification Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50334
MITRE
NVD
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Notification allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50334
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50334 Yun Cong


CVE-2026-50445 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50445
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description:

Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50445
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50445 Sanil Singh Tomar with Microsoft


CVE-2026-50344 - Windows OLE Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50344
MITRE
NVD
CVE Title: Windows OLE Elevation of Privilege Vulnerability
Description:

Improper authorization in Windows OLE allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50344
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50344 Hart Wilson with Microsoft


CVE-2026-50352 - Windows Cryptographic Services Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50352
MITRE
NVD
CVE Title: Windows Cryptographic Services Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50352
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50352 Microsoft


CVE-2026-50382 - DirectX Graphics Kernel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50382
MITRE
NVD
CVE Title: DirectX Graphics Kernel Remote Code Execution Vulnerability
Description:

Untrusted pointer dereference in Windows DirectX allows an authorized attacker to execute code locally.


FAQ:

How could an attacker exploit this vulnerability?

An attacker can exploit this vulnerability by getting access to the local guest VM so they can attack the Host OS.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50382
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50382 pwn2addr


CVE-2026-50436 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50436
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50436
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50436 Anonymous


CVE-2026-50437 - Windows DWM Core Library Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50437
MITRE
NVD
CVE Title: Windows DWM Core Library Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50437
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50437 Varun Goel


CVE-2026-50471 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50471
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A user would need to mount a .vhd file to be compromised by the attacker.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50471
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50471 Donghyeon Oh with Patchpoint


Jonghoi Kim


R4nger with Kunlun Lab & Zhiniang Peng with HUST


Sergey immortalp0ny Tarasov with Positive Technologies


CVE-2026-50369 - Windows Remote Desktop Services Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50369
MITRE
NVD
CVE Title: Windows Remote Desktop Services Elevation of Privilege Vulnerability
Description:

Use after free in Windows Remote Desktop Services allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


How could an attacker exploit this vulnerability?

To successfully exploit this elevation of privilege vulnerability, an attacker would be required to perform a remote connection to a vulnerable machine and then manipulate the size of memory allocation through integer overflow.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50369
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50369 Mateusz Garncarek with Digital-Missiles


Xuanzhe Yu


syxlox with Siemens Energy


CVE-2026-50469 - Windows Projected File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50469
MITRE
NVD
CVE Title: Windows Projected File System Elevation of Privilege Vulnerability
Description:

Improper link resolution before file access ('link following') in Windows Projected File System allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker would be able to delete any system files.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50469
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50469 Grant Hume


CVE-2026-50454 - Windows User Interface Core Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50454
MITRE
NVD
CVE Title: Windows User Interface Core Elevation of Privilege Vulnerability
Description:

Relative path traversal in Windows User Interface Core allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker would be able to delete any system files.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50454
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50454 @2st___ of Diffract


Zhiniang Peng with HUST


Thanatos Tian of Diffract


Anonymous


Daniel Friedl


CVE-2026-50365 - Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50365
MITRE
NVD
CVE Title: Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability
Description:

Improper authentication in Windows RPC API allows an unauthorized attacker to elevate privileges over an adjacent network.


FAQ:

According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?

This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require machine-in-the-middle (MITM) type setups or that rely on initially gaining a foothold in another environment.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

To trigger this vulnerability, a user must actively connect to the affected server and run a specific command. The vulnerability cannot be triggered automatically or in the background; it only occurs when a user intentionally interacts with the server using this command.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50365
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50365 Howard McGreehan with MSRC V&M


CVE-2026-50426 - Windows DNS Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50426
MITRE
NVD
CVE Title: Windows DNS Server Remote Code Execution Vulnerability
Description:

Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network.


FAQ:

According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.


According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires the attacker to be part of DnsAdmins group. As is best practice, regular validation and audits of administrative groups should be conducted.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50426
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50426 pwnky


CVE-2026-50385 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50385
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could use this vulnerability to elevate privileges from a Low Integrity Level in a contained ("sandboxed") execution environment to a Medium Integrity Level. Please refer to AppContainer isolation and Mandatory Integrity Control for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50385
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50385 Anonymous


CVE-2026-50413 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50413
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could use this vulnerability to elevate privileges from a Low Integrity Level in a contained ("sandboxed") execution environment to a Medium Integrity Level. Please refer to AppContainer isolation and Mandatory Integrity Control for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50413
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50413 Anonymous


CVE-2026-50427 - Content Delivery Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50427
MITRE
NVD
CVE Title: Content Delivery Manager Elevation of Privilege Vulnerability
Description:

Use after free in Content Delivery Manager allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could elevate from a low integrity level up to a medium integrity level.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50427
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50427 Anonymous


CVE-2026-50422 - Windows NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50422
MITRE
NVD
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description:

Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50422
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50422 Microsoft Internal with Microsoft


Anonymous


CVE-2026-50421 - Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50421
MITRE
NVD
CVE Title: Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Windows Connected User Experiences and Telemetry allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50421
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50421 Zhang WangJunJie@Hillstone, He YiSheng


CVE-2026-50374 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50374
MITRE
NVD
CVE Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50374
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50374 Axel Mierczuk with Trail of Bits


Maciej Domanski with Trail of Bits


CVE-2026-50367 - Windows Sensor Data Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50367
MITRE
NVD
CVE Title: Windows Sensor Data Service Elevation of Privilege Vulnerability
Description:

Incorrect access of indexable resource ('range error') in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50367
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50367 Dongjun Lee (m0nd2y) with KAIST Hacking Lab


Anonymous


Thanatos Tian & wxz & @2st__ with Diffract


Dongjun Lee (m0nd2y) with KAIST Hacking Lab


CVE-2026-50383 - Windows Print Spooler Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50383
MITRE
NVD
CVE Title: Windows Print Spooler Information Disclosure Vulnerability
Description:

Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50383
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50383 Anonymous


CVE-2026-50451 - Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50451
MITRE
NVD
CVE Title: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
Description:

Missing authentication for critical function in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50451
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50451 Brandon Fisher


Brandon Fisher


CVE-2026-50455 - Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50455
MITRE
NVD
CVE Title: Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

This vulnerability could allow a local, non‑administrator attacker to read any files that are accessible to the UPnP Device Host Service, which runs under the LOCAL SERVICE account. This may include restricted system files or configuration data that the attacker would not normally be able to access. The specific information exposed depends on the files that the service is permitted to read.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50455
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50455 AI's physical interface 03


CVE-2026-50466 - Microsoft Brokering File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50466
MITRE
NVD
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description:

Use after free in Windows Brokering File System allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50466
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50466 dd484a5a34dd0f6d5330345ffe642dfc


Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


Grant Hume


CVE-2026-50402 - NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50402
MITRE
NVD
CVE Title: NTFS Elevation of Privilege Vulnerability
Description:

Incorrect conversion between numeric types in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50402
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50402 Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract


Jiayi Sun


CVE-2026-50435 - Windows Overlay Filter Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50435
MITRE
NVD
CVE Title: Windows Overlay Filter Elevation of Privilege Vulnerability
Description:

Buffer over-read in Windows Overlay Filter allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50435
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50435 Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd.


CVE-2026-50409 - Windows Overlay Filter Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50409
MITRE
NVD
CVE Title: Windows Overlay Filter Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50409
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50409 Chen Le Qi(@cplearns2h4ck) with STAR Labs SG Pte. Ltd.


CVE-2026-50441 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50441
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description:

Untrusted pointer dereference in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50441
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50441 Donghyeon Oh with Patchpoint


Jonghoi Kim


Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST


CVE-2026-50465 - Windows DNS Client Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50465
MITRE
NVD
CVE Title: Windows DNS Client Tampering Vulnerability
Description:

Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50465
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Tampering None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50465 Brandon Fisher


Brandon Fisher


CVE-2026-50439 - Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50439
MITRE
NVD
CVE Title: Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Message Queuing Queue Manager allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50439
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50439 k0shl


k0shl


CVE-2026-50462 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50462
MITRE
NVD
CVE Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description:

External control of file name or path in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50462
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50462 Erik Egsgard with Field Effect


CVE-2026-50457 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50457
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could elevate from a low integrity level up to a medium integrity level.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50457
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50457 Vamshi Krishna Bolly


CVE-2026-50473 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50473
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the server object address.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50473
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50473 David Zhu with Microsoft


CVE-2026-50442 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50442
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the server object address.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50442
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50442 David Zhu with Microsoft


CVE-2026-50389 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50389
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the server object address.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50389
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50389 David Zhu with Microsoft


CVE-2026-50456 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50456
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50456
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50456 David Zhu with Microsoft


CVE-2026-50432 - Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50432
MITRE
NVD
CVE Title: Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability
Description:

Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50432
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50432 Jun Young Lee with Microsoft


CVE-2026-50399 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50399
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50399
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50399 Arjun Vasudeva with MSRC Exploit Research Team


CVE-2026-50461 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50461
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A user would need to mount a .vhd file to be compromised by the attacker.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50461
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50461 Anonymous


R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-50431 - Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50431
MITRE
NVD
CVE Title: Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability
Description:
Unknown
FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50431
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50431 hazard


CVE-2026-50453 - Windows USB Audio Class Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50453
MITRE
NVD
CVE Title: Windows USB Audio Class Driver Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50453
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50453 Donghyeon Oh with Patchpoint


Jonghoi Kim


CVE-2026-50417 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50417
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50417
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50417 Anonymous


Jonghoi Kim


Donghyeon Oh with Patchpoint


Thanatos Tian & @2st__ with Diffract


yhw & txz


Anonymous


Microsoft Red Team (MRT) with Microsoft


R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-50447 - Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50447
MITRE
NVD
CVE Title: Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Message Queuing allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by sending a specially crafted request containing a maliciously formed domain name to a vulnerable service. When the system processes this input, it may incorrectly calculate the required memory size and write beyond the allocated buffer, resulting in memory corruption that could allow further compromise of the affected system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50447
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50447 Azure Yang with Kunlun Lab


CVE-2026-50438 - Microsoft PC Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50438
MITRE
NVD
CVE Title: Microsoft PC Manager Elevation of Privilege Vulnerability
Description:

Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50438
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft PC Manager Release Notes (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50438 .bat


CVE-2026-50420 - HTTP.sys Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50420
MITRE
NVD
CVE Title: HTTP.sys Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50420
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50420 grass341 with Viettel Cyber Security


CVE-2026-50362 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50362
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50362
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50362 Donghyeon Oh with Patchpoint and Jonghoi Kim


Donghyeon Oh with Patchpoint and Jonghoi Kim


CVE-2026-50474 - Remote Desktop Client Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50474
MITRE
NVD
CVE Title: Remote Desktop Client Remote Code Execution Vulnerability
Description:

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50474
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50474 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-50411 - Windows Active Directory Federation Services Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50411
MITRE
NVD
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description:

Stack-based buffer overflow in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50411
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50411 Anonymous


CVE-2026-50444 - Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50444
MITRE
NVD
CVE Title: Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
Description:

Missing authentication for critical function in Windows Server Update Service allows an authorized attacker to elevate privileges over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50444
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50444 Hugo VINCENT with Synacktiv


CVE-2026-50394 - Windows Media Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50394
MITRE
NVD
CVE Title: Windows Media Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50394
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50394 David Zhu with Microsoft


CVE-2026-50415 - Windows Media Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50415
MITRE
NVD
CVE Title: Windows Media Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Media allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50415
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.3
Temporal: 4.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50415 David Zhu with Microsoft


CVE-2026-50458 - Microsoft Brokering File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50458
MITRE
NVD
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50458
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50458 anonymous


anonymous


CVE-2026-50475 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50475
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

Buffer over-read in Windows Kernel allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50475
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50475 grass341 with Viettel Cyber Security


KPC with Cisco Talos


KPC with Cisco Talos


CVE-2026-50476 - Windows Network Connections Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50476
MITRE
NVD
CVE Title: Windows Network Connections Service Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Windows allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50476
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50476 Hwiwon Lee (hwiwonl), SEC-agent team


Jongseong Kim (nevul37), SEC-agent team


Younggi Park (grill66), SEC-agent team


CVE-2026-50429 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50429
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Kernel allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50429
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50429 Seung Chan Kim


CVE-2026-50450 - Windows Network Connections Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50450
MITRE
NVD
CVE Title: Windows Network Connections Service Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Wireless Wide Area Network Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50450
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50450 h4urek with secsys lab


CVE-2026-50424 - Windows Domain Controller Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50424
MITRE
NVD
CVE Title: Windows Domain Controller Denial of Service Vulnerability
Description:

Untrusted pointer dereference in Windows Domain Controller allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50424
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50424 [Yuval Gordon](https://x.com/yug0rd) with Akamai


[Yuval Gordon](https://x.com/yug0rd) with Akamai


CVE-2026-50406 - Windows Backup Engine Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50406
MITRE
NVD
CVE Title: Windows Backup Engine Elevation of Privilege Vulnerability
Description:

Use after free in Windows Backup Engine allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50406
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50406 AIフィジカルインターフェイス二号機


CVE-2026-50470 - Windows Network Policy Server SNMP Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50470
MITRE
NVD
CVE Title: Windows Network Policy Server SNMP Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Network Policy Server SNMP allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read portions of process memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50470
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50470 Lewis Lee & Anemone & Zhiniang Peng (HUST)


Lewis Lee & Anemone & Zhiniang Peng (HUST)


CVE-2026-50459 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50459
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50459
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50459 Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-50477 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50477
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50477
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50477 Seung Chan Kim


CVE-2026-50478 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50478
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50478
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50478 Gabriela Kote with Microsoft


CVE-2026-50479 - Windows USB Hub Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50479
MITRE
NVD
CVE Title: Windows USB Hub Driver Elevation of Privilege Vulnerability
Description:

Untrusted pointer dereference in Windows USB Hub Driver allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50479
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50479 Adrian Denkiewicz at Doyensec in collaboration with Anthropic Research [Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research](https://doyensec.com)


CVE-2026-50480 - Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50480
MITRE
NVD
CVE Title: Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50480
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup)
5099415 (IE Cumulative)
Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup)
5099415 (IE Cumulative)
Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099415 (IE Cumulative)
5099444 (Monthly Rollup)
Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099415 (IE Cumulative)
5099444 (Monthly Rollup)
Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50480 Rutuja Shirali with Microsoft


CVE-2026-50482 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50482
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50482
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50482 R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-50495 - DNS Client Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50495
MITRE
NVD
CVE Title: DNS Client Tampering Vulnerability
Description:

Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50495
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Tampering None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50495 Sneha Ravichandran with microsoft


CVE-2026-50483 - Windows Graphics Component Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50483
MITRE
NVD
CVE Title: Windows Graphics Component Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50483
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50483 Hussein Alrubaye with Microsoft


CVE-2026-50484 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50484
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50484
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50484 Anonymous


CVE-2026-50493 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50493
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Graphics Kernel allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50493
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50493 YuilMuil(Yoon Jung Hyun)


dungnm with Viettel Cyber Security


dungnm with Viettel Cyber Security


Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


Anonymous


SnowRockLab


CVE-2026-50502 - Windows Event Logging Service Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50502
MITRE
NVD
CVE Title: Windows Event Logging Service Remote Code Execution Vulnerability
Description:

Insufficient granularity of access control in Windows Event Logging Service allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50502
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50502 Romain BENTZ with Login Sécurité


Grant Hume


CVE-2026-50485 - Windows Hyper-V Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50485
MITRE
NVD
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description:

Buffer over-read in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50485
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 4.5
Temporal: 3.9
Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50485 Anonymous


Anonymous


Jungwoo Lee with KAIST SoftSec Lab


Wongi Lee with Theori


Linzishan & Anemone & Zhiniang Peng (HUST)


sweetchip


Daejin Lee


CVE-2026-50486 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50486
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50486
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50486 Vamshi Krishna Bolly


CVE-2026-50487 - Windows DNS Client Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50487
MITRE
NVD
CVE Title: Windows DNS Client Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft Windows DNS allows an unauthorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50487
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50487 Anonymous


CVE-2026-50488 - Clipboard User Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50488
MITRE
NVD
CVE Title: Clipboard User Service Elevation of Privilege Vulnerability
Description:

Improper neutralization of special elements used in a command ('command injection') in Windows Clipboard User Service allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50488
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50488 Pwnforr777


CVE-2026-50500 - Windows Netlogon Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50500
MITRE
NVD
CVE Title: Windows Netlogon Elevation of Privilege Vulnerability
Description:

Use after free in Windows Netlogon allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50500
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50500 Microsoft




CVE-2026-50499 - Windows Print Spooler Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50499
MITRE
NVD
CVE Title: Windows Print Spooler Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50499
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50499 Brandon Fisher


Brandon Fisher


CVE-2026-50489 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50489
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50489
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50489 Anonymous


Marcin Wiązowski


CVE-2026-50494 - Windows NTFS Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50494
MITRE
NVD
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50494
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50494 Sergey immortalp0ny Tarasov with Positive Technologies


Minjea Park with STEALIEN


CVE-2026-50490 - Windows Installer Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50490
MITRE
NVD
CVE Title: Windows Installer Elevation of Privilege Vulnerability
Description:

Use after free in Windows Installer allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50490
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50490 Jongseong Kim (nevul37), SEC-agent team


Hwiwon Lee (hwiwonl), SEC-agent team


Younggi Park (grill66), SEC-agent team


Dongjun Kim (smlijun), SEC-agent team


CVE-2026-50498 - Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50498
MITRE
NVD
CVE Title: Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50498
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50498 R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-50505 - Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50505
MITRE
NVD
CVE Title: Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability
Description:

Use after free in Windows Message Queuing allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50505
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50505 k0shl


k0shl


CVE-2026-50491 - Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50491
MITRE
NVD
CVE Title: Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability
Description:

Out-of-bounds read in Code Integrity DLL (ci.dll) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50491
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50491 grass341 with Viettel Cyber Security


Souhail Hammou


CVE-2026-50492 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50492
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code with a physical attack.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50492
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50492 pwn2addr


Donghyeon Oh with Patchpoint


Jonghoi Kim


R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-50501 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50501
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50501
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50501 Donghyeon Oh with Patchpoint


Jonghoi Kim


Thanatos Tian & wgg & @2st__ with Diffract


pwn2addr


Aobo Wang


CVE-2026-50503 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50503
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50503
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50503 Anonymous


CVE-2026-50497 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50497
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description:

Off-by-one error in Windows Remote Desktop Protocol allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50497
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50497 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-50496 - Windows Network Policy Server SNMP Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50496
MITRE
NVD
CVE Title: Windows Network Policy Server SNMP Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Network Policy Server SNMP allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50496
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50496 Zishan Lin & Anemone & Zhiniang Peng (HUST)


CVE-2026-50504 - Windows Remote Desktop Client Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50504
MITRE
NVD
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description:

Buffer over-read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50504
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50504 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-47295 - Microsoft SQL Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47295
MITRE
NVD
CVE Title: Microsoft SQL Server Elevation of Privilege Vulnerability
Description:

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.


FAQ:

How could an attacker exploit the vulnerability?

An attacker could inject arbitrary T-SQL commands by crafting a malicious database name.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain sysadmin privileges.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47295
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) 5102340 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack 5102339 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (CU 31) 5102337 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2017 for x64-based Systems (GDR) 5102338 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (CU 32) 5102335 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2019 for x64-based Systems (GDR) 5102336 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (CU 25) 5101347 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2022 for x64-based Systems (GDR) 5102334 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47295 Anonymous


Fabiano Amorim with Pythian


Anonymous


CVE-2026-50509 - Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50509
MITRE
NVD
CVE Title: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
Description:

Deserialization of untrusted data in Windows Wireless Wide Area Network Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50509
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50509 ChengBin Wang with ZheJiang Guoli Security Technology


pwnky


CVE-2026-50510 - GitHub Copilot Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50510
MITRE
NVD
CVE Title: GitHub Copilot Remote Code Execution Vulnerability
Description:

Improper restriction of names for files and other resources in Github Copilot allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50510
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
GitHub Copilot Plugin for JetBrains IDEs (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50510 Nacl


CVE-2026-50518 - Windows DHCP Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50518
MITRE
NVD
CVE Title: Windows DHCP Server Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by sending specially crafted network requests containing malicious domain name data to a system running the affected component. Because the function does not correctly validate the size of incoming data, the malformed input may cause memory corruption, which an attacker could use to disrupt the service or potentially execute code on the affected system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50518
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50518 Amit Schendel with Ventris


Lewis Lee


Owen McCullough with MSRC V&M


CVE-2026-50525 - .NET Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50525
MITRE
NVD
CVE Title: .NET Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50525
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50525 Levi Broderick


CVE-2026-50526 - .NET Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50526
MITRE
NVD
CVE Title: .NET Tampering Vulnerability
Description:

Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50526
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Tampering None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Tampering None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50526 Siwei Li with Microsoft


Anonymous


CVE-2026-50527 - .NET Framework Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50527
MITRE
NVD
CVE Title: .NET Framework Denial of Service Vulnerability
Description:

Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50527
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5087068 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5087068 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems 5087058 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems 5087058 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems 5092430 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems 5092430 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems 5092427 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems 5092427 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5087059 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5087059 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 5087057 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) 5087057 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 5087048 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5087048 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5087049 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5087049 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5087062 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5087062 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5087063 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5087063 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 5087067 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5087067 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5087069 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5087069 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50527 Levi Broderick


CVE-2026-50528 - .NET Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50528
MITRE
NVD
CVE Title: .NET Security Feature Bypass Vulnerability
Description:

Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The authentication feature could be bypassed as this vulnerability allows impersonation.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50528
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Security Feature Bypass None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50528 Ky0toFu


Henrique Pereira with Microsoft


CVE-2026-50646 - .NET Framework Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50646
MITRE
NVD
CVE Title: .NET Framework Remote Code Execution Vulnerability
Description:

Protection mechanism failure in .NET Framework allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50646
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 8.0 installed on Windows 5104032 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5087537 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems 5087537 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5087061 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5087061 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5087061 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 5087537 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) 5087537 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5087061 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5087061 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5087066 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for ARM64-based Systems 5087066 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5087066 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5087064 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5087064 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5087064 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5087064 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5087064 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5087064 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5087066 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5087066 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5087068 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5087068 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5087053 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5087053 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5087053 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5087053 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5087053 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5087053 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems 5087058 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems 5087058 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems 5092430 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems 5092430 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems 5092427 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems 5092427 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5087059 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5087059 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 5087057 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) 5087057 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 5087048 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5087048 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5087049 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5087049 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5087062 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5087062 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5087063 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5087063 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5087065 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5087065 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 5087067 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5087067 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5087069 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5087069 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 5087065 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5087065 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50646 Ky0toFu


41ae55e9310ff27fa6f26af4727e5590


Kevin Gosse


CVE-2026-50647 - Active Directory Federation Server Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50647
MITRE
NVD
CVE Title: Active Directory Federation Server Denial of Service Vulnerability
Description:

Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of availability (A:H). What does that mean for this vulnerability?

An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50647
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50647 Anonymous


CVE-2026-50648 - .NET Framework Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50648
MITRE
NVD
CVE Title: .NET Framework Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50648
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) 5087537 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5087061 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for ARM64-based Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5087064 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5087066 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5087068 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5087068 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5087053 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems 5087058 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems 5087058 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems 5092430 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems 5092430 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems 5092427 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems 5092427 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5087059 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5087059 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 5087057 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) 5087057 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 5087048 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5087048 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5087049 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5087049 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5087062 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5087062 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5087063 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5087063 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 5087067 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5087067 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5087069 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5087069 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5087065 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50648 41ae55e9310ff27fa6f26af4727e5590


CVE-2026-50649 - .NET Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50649
MITRE
NVD
CVE Title: .NET Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in .NET allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50649
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 8.0 installed on Windows 5104032 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50649 Kevin Gosse


41ae55e9310ff27fa6f26af4727e5590


CVE-2026-50650 - .NET Framework Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50650
MITRE
NVD
CVE Title: .NET Framework Elevation of Privilege Vulnerability
Description:

Improper control of generation of code ('code injection') in .NET Framework allows an unauthorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50650
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 8.0 installed on Windows 5104032 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5087537 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems 5087537 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5087061 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5087061 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 5087537 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) 5087537 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5087061 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5087061 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5087066 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5087066 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5087064 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5087064 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5087064 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5087064 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5087064 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5087064 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5087066 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5087066 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5087068 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5087068 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5087053 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5087053 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5087053 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5087053 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5087053 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5087053 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems 5087058 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems 5087058 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems 5092430 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems 5092430 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems 5092427 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems 5092427 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems 5087077 (Security Update)
5092431 (Security Update)
Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5087059 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5087059 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 5087057 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) 5087057 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 5087048 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5087048 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5087049 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5087049 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5087062 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5087062 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5087063 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5087063 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5087065 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5087065 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 5087067 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5087067 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5087069 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5087069 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 5087065 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5087065 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Elevation of Privilege None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50650 41ae55e9310ff27fa6f26af4727e5590


CVE-2026-50651 - .NET Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50651
MITRE
NVD
CVE Title: .NET Denial of Service Vulnerability
Description:

Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50651
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50651 Miha Zupan with Microsoft


CVE-2026-50655 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50655
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50655
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50655 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-50657 - Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50657
MITRE
NVD
CVE Title: Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability
Description:

Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50657
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Defender for Endpoint for Mac Release Notes (Security Update) Important Information Disclosure None Base: 4.7
Temporal: 4.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50657 Eugene Lim


CVE-2026-50658 - Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50658
MITRE
NVD
CVE Title: Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
Description:

Time-of-check time-of-use (toctou) race condition in Microsoft Defender allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50658
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Defender for Endpoint for Mac Release Notes (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50658 Eugene Lim


CVE-2026-50659 - .NET Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50659
MITRE
NVD
CVE Title: .NET Spoofing Vulnerability
Description:

Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50659
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Spoofing None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Spoofing None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50659 hamayanhamayan


CVE-2026-50661 - Windows BitLocker Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50661
MITRE
NVD
CVE Title: Windows BitLocker Security Feature Bypass Vulnerability
Description:

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable Yes No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50661
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50661 Anonymous


CVE-2026-50666 - Windows Remote Access Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50666
MITRE
NVD
CVE Title: Windows Remote Access Elevation of Privilege Vulnerability
Description:

Use after free in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50666
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50666 h4urek with secsys lab


CVE-2026-50667 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50667
MITRE
NVD
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50667
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50667 Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-50668 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50668
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to elevate privileges with a physical attack.


FAQ:

According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability?

An attacker with physical access to a vulnerable system could insert a specially crafted USB device.

Are there additional attack vectors?

This vulnerability could also be exploited through a local attack vector. An attacker authenticated as an administrator on a vulnerable system could mount a specially crafted virtual hard drive (VHD) to exploit the system. This scenario results in a lower CVSS score which is why the primary attack vector is listed as Physical in our documentation.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50668
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50668 Thanatos Tian & wgg & @2st__ with Diffract


Donghyeon Oh with Patchpoint


Jonghoi Kim


R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-50669 - Windows Telephony Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50669
MITRE
NVD
CVE Title: Windows Telephony Server Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50669
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50669 z1r0


CVE-2026-50670 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50670
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50670
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50670 grass341 with Viettel Cyber Security


CVE-2026-50672 - Windows NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50672
MITRE
NVD
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description:

Use after free in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50672
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50672 Anonymous


CVE-2026-50673 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50673
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Null pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50673
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50673 5n1p3r0010


CVE-2026-50674 - Windows USB Print Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50674
MITRE
NVD
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50674
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50674 AIフィジカルインターフェイス二号機


CVE-2026-50676 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50676
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50676
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50676 Anonymous


CVE-2026-50677 - Windows Media Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50677
MITRE
NVD
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description:

Use after free in Windows Media allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50677
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50677 Anonymous


CVE-2026-54115 - Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54115
MITRE
NVD
CVE Title: Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows Active Directory allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54115
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54115 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-50684 - Active Directory Federation Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50684
MITRE
NVD
CVE Title: Active Directory Federation Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50684
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Spoofing None Base: 4.8
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50684 Anonymous


CVE-2026-50679 - Windows Search Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50679
MITRE
NVD
CVE Title: Windows Search Service Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could use this vulnerability to elevate privileges from Medium Integrity Level to a High Integrity Level.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50679
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50679 Anonymous


haowei yan


h4urek with secsys lab


CVE-2026-50688 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50688
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50688
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50688 Kentaro Kawane with GMO Cybersecurity by Ierae, Inc.


CVE-2026-50680 - Windows Hyper-V Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50680
MITRE
NVD
CVE Title: Windows Hyper-V Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Hyper-V allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50680
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50680 Artur Stetsko


CVE-2026-50681 - Windows Secure Channel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50681
MITRE
NVD
CVE Title: Windows Secure Channel Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is internal memory pointers. These leaked addresses could help an attacker bypass security protection and facilitate further exploitation.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50681
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50681 Microsoft


CVE-2026-54121 - Active Directory Certificate Services Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54121
MITRE
NVD
CVE Title: Active Directory Certificate Services Elevation of Privilege Vulnerability
Description:

Improper authorization in Active Directory Certificate Services (AD CS) allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.


How could an attacker exploit this vulnerability?

An authenticated attacker could manipulate attributes associated with a machine account and obtain a certificate from Active Directory Certificate Services that allows authentication as that machine via PKINIT. If a Domain Controller account can be targeted, the attacker could authenticate as the Domain Controller and gain the ability to perform privileged Active Directory operations.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54121
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54121 Aniq Fakhrul Muhammad Ali


Aniq Fakhrul


Aniq Fakhrul Muhammad Ali


CVE-2026-50682 - Active Directory Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50682
MITRE
NVD
CVE Title: Active Directory Denial of Service Vulnerability
Description:

Out-of-bounds read in Windows Active Directory allows an authorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50682
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50682 WARP and ACS teams at Microsoft


CVE-2026-50685 - Windows DHCP Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50685
MITRE
NVD
CVE Title: Windows DHCP Server Remote Code Execution Vulnerability
Description:

Double free in Windows DHCP Server allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50685
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50685 WARP and ACS teams at Microsoft


CVE-2026-50683 - Windows DHCP Client Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50683
MITRE
NVD
CVE Title: Windows DHCP Client Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows DHCP Server allows an authorized attacker to elevate privileges over an adjacent network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50683
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50683 WARP and ACS teams at Microsoft


CVE-2026-50687 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50687
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50687
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50687 Anonymous


CVE-2026-50686 - Windows OLE Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50686
MITRE
NVD
CVE Title: Windows OLE Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Windows OLE allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50686
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50686 Hamza Nauman with Microsoft


CVE-2026-50689 - Windows Clipboard Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50689
MITRE
NVD
CVE Title: Windows Clipboard Server Elevation of Privilege Vulnerability
Description:

Use after free in Windows Clipboard Server allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50689
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50689 Hamza Nauman with Microsoft


CVE-2026-54125 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54125
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54125
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54125 Arpit Gupta


CVE-2026-50690 - Windows SMB Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50690
MITRE
NVD
CVE Title: Windows SMB Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50690
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50690 Anonymous


CVE-2026-50692 - Desktop Window Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50692
MITRE
NVD
CVE Title: Desktop Window Manager Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Desktop Window Manager allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50692
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50692 Anonymous


Seung Chan Kim


CVE-2026-54128 - Windows DHCP Client Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54128
MITRE
NVD
CVE Title: Windows DHCP Client Remote Code Execution Vulnerability
Description:

Use after free in Windows DHCP Client allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54128
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54128 Owen McCullough with MSRC V&M


CVE-2026-54126 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54126
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?

An unauthorized attacker must wait for a user to initiate a connection.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54126
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54126 Anonymous


CVE-2026-55010 - Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55010
MITRE
NVD
CVE Title: Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Minecraft Bedrock Dedicated Server allows an unauthorized attacker to execute code over a network.


FAQ:

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55010
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Minecraft Bedrock Dedicated Server Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55010 Ming-Shiang Tzou (ConsoleBreak)


CVE-2026-47290 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47290
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47290
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002273 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002273 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47290 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-47642 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47642
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47642
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47642 Haifei Li with EXPMON


CVE-2026-48580 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-48580
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-48580
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-48580 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-50301 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50301
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50301
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50301 Jeongmin Choi(https://x.com/lmksecurity)


CVE-2026-50314 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50314
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50314
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50314 Anonymous


CVE-2026-50467 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50467
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50467
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50467 Anonymous


CVE-2026-55017 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55017
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55017
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002273 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002273 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55017 Quan Jin with DBAPPSecurity WeBin Lab


CVE-2026-55016 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55016
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55016
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55016 41ae55e9310ff27fa6f26af4727e5590


CVE-2026-55024 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55024
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55024
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55024 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-50408 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50408
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50408
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50408 f4 & Zhiniang Peng with HUST


0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55019 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55019
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55019
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55019 41ae55e9310ff27fa6f26af4727e5590


P1hcn


CVE-2026-55018 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55018
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55018
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55018 Anonymous


CVE-2026-55046 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55046
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the local memory address.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55046
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55046 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55020 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55020
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55020
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55020 Kn1ght


Kn1ght


CVE-2026-55021 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55021
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55021
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55021 P1hcn


CVE-2026-55022 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55022
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55022
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55022 Anonymous


CVE-2026-55023 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55023
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the local memory address.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55023
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55023 Haein Lee


HangAn


CVE-2026-55025 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55025
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55025
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55025 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55030 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55030
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55030
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55030 P1hcn


CVE-2026-55125 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55125
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55125
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55125 Haein Lee


0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55031 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55031
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55031
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55031 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55026 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55026
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Integer overflow or wraparound in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55026
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55026 Haein Lee


CVE-2026-55048 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55048
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55048
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55048 Anonymous


0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55034 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55034
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55034
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55034 P1hcn


CVE-2026-55027 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55027
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55027
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55027 Haein Lee


Jeongmin Choi


CVE-2026-55029 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55029
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55029
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55029 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55028 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55028
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55028
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55028 Haein Lee


0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55047 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55047
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55047
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55047 Haein Lee


CVE-2026-55039 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55039
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55039
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55039 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55045 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55045
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55045
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Critical Remote Code Execution None Base: 8.4
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55045 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55050 - Microsoft Word Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55050
MITRE
NVD
CVE Title: Microsoft Word Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55050
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55050 0ccbbf129444eb66344ccafb92b00df4


Jeongmin Choi with S2W


Haein Lee with KAIST Hacking Lab


CVE-2026-55049 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55049
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55049
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002748 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002748 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55049 0ccbbf129444eb66344ccafb92b00df4


Jeongmin Choi with S2W


haowei yan & xiaozun tang


CVE-2026-55032 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55032
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55032
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55032 Haifei Li with EXPMON


CVE-2026-55033 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55033
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55033
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55033 kunlun Lab & GLM


Seung Chan Kim


Haein Lee with KAIST Hacking Lab


Anonymous


kunlun Lab & GLM


CVE-2026-55041 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55041
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55041
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55041 Haein Lee with KAIST Hacking Lab


yhw & txz


Jeongmin Choi


CVE-2026-55138 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55138
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55138
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55138 f4 & Zhiniang Peng with HUST


CVE-2026-55124 - Microsoft Word Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55124
MITRE
NVD
CVE Title: Microsoft Word Information Disclosure Vulnerability
Description:

Improper validation of specified type of input in Microsoft Office Word allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55124
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55124 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55127 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55127
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55127
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55127 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55136 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55136
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55136
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55136 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55141 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55141
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55141
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55141 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55129 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55129
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55129
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55129 Haein Lee with KAIST Hacking Lab


txz and yhw


CVE-2026-55035 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55035
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55035
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55035 Jeongmin Choi


CVE-2026-55036 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55036
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55036
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55036 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55044 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55044
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55044
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55044 Haein Lee with KAIST Hacking Lab


CVE-2026-55055 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55055
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55055
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55055 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55054 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55054
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55054
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55054 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55037 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55037
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55037
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55037 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55058 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55058
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55058
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55058 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55038 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55038
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55038
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55038 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55132 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55132
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55132
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55132 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55137 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55137
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55137
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55137 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55053 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55053
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55053
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55053 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55122 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55122
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55122
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55122 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55057 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55057
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Integer overflow or wraparound in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55057
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55057 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55131 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55131
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55131
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55131 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55126 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55126
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55126
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 7.3
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55126 Vladislav Berghici of TrendAI Research


CVE-2026-55051 - Microsoft SharePoint Server Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55051
MITRE
NVD
CVE Title: Microsoft SharePoint Server Information Disclosure Vulnerability
Description:

Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55051
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55051 P1hcn


CVE-2026-55134 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55134
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55134
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55134 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55056 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55056
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55056
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55056 Haein Lee with KAIST Hacking Lab


Jeongmin Choi


CVE-2026-55040 - Microsoft SharePoint Server Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55040
MITRE
NVD
CVE Title: Microsoft SharePoint Server Security Feature Bypass Vulnerability
Description:

Weak authentication in Microsoft Office SharePoint allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The authentication feature could be bypassed as this vulnerability allows impersonation.


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), but could lead to no loss of availability (A:N). What does that mean for this vulnerability?

Exploiting this vulnerability could allow an attacker to disclose files and modify data, but the attacker cannot impact the availability of the system.


How could an attacker exploit this vulnerability?

In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55040
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Critical Security Feature Bypass None Base: 9.1
Temporal: 7.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Critical Security Feature Bypass None Base: 9.1
Temporal: 7.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Critical Security Feature Bypass None Base: 9.1
Temporal: 7.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55040 Chumy Tsai with CyCraft Technology


khoadha


Stephen Fewer with Rapid7


CVE-2026-55142 - Microsoft Word Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55142
MITRE
NVD
CVE Title: Microsoft Word Information Disclosure Vulnerability
Description:

Numeric truncation error in Microsoft Office Word allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55142
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55142 Haein Lee with KAIST Hacking Lab


CVE-2026-55140 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55140
MITRE
NVD
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55140
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002748 (Security Update)
5002830 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002748 (Security Update)
5002830 (Security Update)
Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55140 kunlun Lab & GLM


yhw & txz


kunlun Lab & GLM


CVE-2026-55128 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55128
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55128
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55128 Anonymous


CVE-2026-55130 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55130
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55130
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (32-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Word 2016 (64-bit edition) 5002890 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55130 Haein Lee with KAIST Hacking Lab


CVE-2026-55042 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55042
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55042
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55042 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55139 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55139
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55139
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55139 oriotie


CVE-2026-55043 - Microsoft PowerPoint Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55043
MITRE
NVD
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55043
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft PowerPoint 2016 (32-bit edition) 5002867 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft PowerPoint 2016 (64-bit edition) 5002867 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55043 0ccbbf129444eb66344ccafb92b00df4


Haein Lee with KAIST Hacking Lab


CVE-2026-55133 - Microsoft OneNote Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55133
MITRE
NVD
CVE Title: Microsoft OneNote Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office OneNote allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55133
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55133 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55123 - Microsoft PowerPoint Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55123
MITRE
NVD
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55123
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft PowerPoint 2016 (32-bit edition) 5002867 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft PowerPoint 2016 (64-bit edition) 5002867 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55123 yhw & txz


0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55120 - Microsoft PowerPoint Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55120
MITRE
NVD
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55120
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft PowerPoint 2016 (32-bit edition) 5002867 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft PowerPoint 2016 (64-bit edition) 5002867 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55120 None

CVE-2026-55052 - Microsoft SharePoint Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55052
MITRE
NVD
CVE Title: Microsoft SharePoint Elevation of Privilege Vulnerability
Description:

Missing authorization in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.


FAQ:

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55052
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55052 odgrso


CVE-2026-55135 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55135
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious link and convince the user to open it.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55135
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 4.6
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55135

CVE-2026-50468 - Microsoft SQL Server Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50468
MITRE
NVD
CVE Title: Microsoft SQL Server Information Disclosure Vulnerability
Description:

Buffer over-read in SQL Server allows an authorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50468
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50468 Pwnforr777


CVE-2026-54116 - Microsoft SQL Server Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54116
MITRE
NVD
CVE Title: Microsoft SQL Server Information Disclosure Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in SQL Server allows an authorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is internal memory pointers. These leaked addresses could help an attacker bypass security protection and facilitate further exploitation.


I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

  • First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
  • Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through…
5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6
5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.7 - 17.0.1115.1 KB5091223 - Previous SQL2025 RTM GDR
5101347 Security update for SQL Server 2022 CU25+GDR 16.0.4262.2 16.0.4003.1 - 16.0.4255.1 KB5081477 - Previous SQL2022 RTM CU25
5102334 Security update for SQL Server 2022 RTM+GDR 16.0.1190.2 16.0.1000.6 - 16.0.1180.1 KB5091158 - Previous SQL2022 RTM GDR
5102335 Security update for SQL Server 2019 CU32+GDR 15.0.4480.2 15.0.4003.23 - 15.0.4470.1 KB5090407 - Previous SQL2019 RTM CU32 GDR
5102336 Security update for SQL Server 2019 RTM+GDR 15.0.2180.2 15.0.2000.5 - 15.0.2170.1 KB 5090408 - Previous SQL2019 RTM GDR
5102337 Security update for SQL Server 2017 CU31+GDR 14.0.3540.1 14.0.3006.16 - 14.0.3530.2 KB 5090354 - Previous SQL2017 RTM CU31 GDR
5102338 Security update for SQL Server 2017 RTM+GDR 14.0.2120.1 14.0.1000.169 - 14.0.2110.2 KB 5090347 - Previous SQL2017 RTM GDR
5102339 Security update for SQL Server 2016 Azure Connect Feature Pack+GDR 13.0.7095.1 13.0.7000.253 - 13.0.7085.1 KB 5089270 - Previous SQL2016 Azure Connect Feature Pack GDR
5102340 Security update for SQL Server 2016 SP3+GDR 13.0.6500.1 13.0.6300.2 - 13.0.6490.1 KB 5089271 - Previous SQL2016 RTM GDR

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

  • GDR updates – cumulatively only contain security updates for the given baseline.
  • CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

  • If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
  • If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
  • If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54116
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SQL Server 2025 for x64-based Systems (CU6) 5101346 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SQL Server 2025 for x64-based Systems (GDR) 5102333 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54116 Pwnforr777


CVE-2026-55145 - Outlook Copilot Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55145
MITRE
NVD
CVE Title: Outlook Copilot Tampering Vulnerability
Description:

Improper neutralization of special elements used in a command ('command injection') in Outlook Copilot allows an authorized attacker to perform tampering over a network.


FAQ:

How do I protect myself from this vulnerability?

Customers can help protect themselves by enabling Outlook's external sender tagging feature to identify untrusted content. This enables Microsoft's provided mitigations to isolate and safely process the untrusted content before it is provided to Microsoft 365 Copilot. Administrators can enable external sender tagging through Exchange Online PowerShell. Refer to the Microsoft Learn documentation for setup instructions and requirements.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Moderate Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55145
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Copilot Moderate Tampering None Base: 6.3
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55145 Håkon Måløy


CVE-2026-54131 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54131
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54131
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54131 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55898 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55898
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55898
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55898 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55944 - Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55944
MITRE
NVD
CVE Title: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by sending a specially crafted login request to an affected Dynamics NAV or Business Central server. Successful exploitation could allow the attacker to execute arbitrary code on the target system. Authentication and user interaction are not required.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55944
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Dynamics NAV 2018 Release Notes (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55944 John Nzyuko


CVE-2026-55947 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55947
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55947
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55947 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-55949 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55949
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Use of uninitialized resource in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55949
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2016 (32-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002886 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Office Online Server 5002884 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55949 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-56156 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56156
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.


FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution,
Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56156
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56156 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-56157 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56157
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description:

Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.


FAQ:

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56157
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56157 Henrique Pereira with Microsoft


CVE-2026-41109 - GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-41109
MITRE
NVD
CVE Title: GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
Description:

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio.


How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by embedding malicious instructions in user input or external content that is processed, causing it to bypass guardrails, treat those instructions as trusted, and execute unintended actions such as retrieving sensitive data.


What kind of security feature could be bypassed by successfully exploiting this vulnerability?

Successful exploitation could bypass the path validation safeguards that check which files may be changed and require user approval for sensitive locations, allowing changes to protected files without the user’s knowledge or consent.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-41109
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Visual Studio Code Release Notes (Security Update) Important Security Feature Bypass None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-41109 Alexander Tan


CVE-2026-56159 - DHCP Server Service Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56159
MITRE
NVD
CVE Title: DHCP Server Service Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An unauthenticated attacker could exploit this vulnerability by sending specially crafted packet to a Dynamic Host Configuration Protocol (DHCP) Server configured to provide data for Option 43.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56159
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56159

Lewis Lee


CVE-2026-50359 - Microsoft XML Core Services Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50359
MITRE
NVD
CVE Title: Microsoft XML Core Services Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft XML Core Services allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50359
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50359 Anonymous


CVE-2026-56168 - Windows SMB Server Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56168
MITRE
NVD
CVE Title: Windows SMB Server Denial of Service Vulnerability
Description:

Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56168
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56168 Mateusz Garncarek with Digital-Missiles


Mateusz Garncarek with Digital-Missiles


CVE-2026-56173 - Windows WebView Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56173
MITRE
NVD
CVE Title: Windows WebView Elevation of Privilege Vulnerability
Description:

Use after free in Windows WebView allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56173
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56173 Anonymous


CVE-2026-56176 - Windows Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56176
MITRE
NVD
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description:

Out-of-bounds read in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56176
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56176 lubinradar


CVE-2026-56175 - Windows NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56175
MITRE
NVD
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56175
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56175 R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-56182 - Windows NTFS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56182
MITRE
NVD
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows NTFS allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56182
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56182 Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract


R4nger with Kunlun Lab & Zhiniang Peng with HUST


Anonymous


CVE-2026-56183 - Windows MIDI Service Module Elevation of Privileges Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56183
MITRE
NVD
CVE Title: Windows MIDI Service Module Elevation of Privileges Vulnerability
Description:

Use after free in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56183
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56183 Anonymous


CVE-2026-56190 - Remote Desktop Protocol Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56190
MITRE
NVD
CVE Title: Remote Desktop Protocol Remote Code Execution Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by sending specially crafted Remote Desktop Protocol (RDP) traffic to a system where Network Level Authentication (NLA) is disabled. The malicious data can interact with improperly initialized memory in the affected component, leading to memory corruption that the attacker may leverage to control how memory is written. This type of issue can allow an attacker to write data to unintended locations in memory, potentially enabling further compromise of the affected system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56190
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56190 CrowdStrike with CrowdStrike


CVE-2026-56184 - Win32k Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56184
MITRE
NVD
CVE Title: Win32k Information Disclosure Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56184
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56184 Seung Chan Kim


CVE-2026-56187 - Windows MIDI Service Module Elevation of Privileges Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56187
MITRE
NVD
CVE Title: Windows MIDI Service Module Elevation of Privileges Vulnerability
Description:

Use after free in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56187
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56187 Anonymous


CVE-2026-56186 - Windows Secure Channel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56186
MITRE
NVD
CVE Title: Windows Secure Channel Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Schannel allows an authorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56186
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56186 Microsoft


CVE-2026-56188 - Windows Server Network driver Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56188
MITRE
NVD
CVE Title: Windows Server Network driver Remote Code Execution Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Server Network driver allows an unauthorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by sending specially crafted malicious traffic to a vulnerable server.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56188
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56188 Aaron Esau with V12


Aaron Esau with V12


CVE-2026-56189 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56189
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56189
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56189 vipin kumar


CVE-2026-50665 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50665
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50665
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50665 Jeongmin Choi


Jeongmin Choi


CVE-2026-56192 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56192
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56192
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56192 Jeongmin Choi


SeaDragnoL with Qrious Secure


grass


CVE-2026-56195 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56195
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56195
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56195 0ccbbf129444eb66344ccafb92b00df4


CVE-2026-56196 - Windows Admin Center (WAC) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56196
MITRE
NVD
CVE Title: Windows Admin Center (WAC) Remote Code Execution Vulnerability
Description:

Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56196
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Admin Center Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56196 Batuhan Er with HawkTrace


CVE-2026-56197 - Windows Admin Center (WAC) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56197
MITRE
NVD
CVE Title: Windows Admin Center (WAC) Remote Code Execution Vulnerability
Description:

Improper neutralization of special elements used in a command ('command injection') in Windows Admin Center allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56197
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Admin Center Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56197 sho odagiri with GMO Cybersecurity by Ierae inc


Anonymous


CVE-2026-56178 - Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56178
MITRE
NVD
CVE Title: Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
Description:

Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56178
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Defender for Endpoint for Mac Release Notes (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56178 Mihalis Haatainen with Bountyy Oy


CVE-2026-56642 - Microsoft Fabric Data Warehouse Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56642
MITRE
NVD
CVE Title: Microsoft Fabric Data Warehouse Remote Code Execution Vulnerability
Description:

Stack-based buffer overflow in Microsoft Fabric Data Warehouse allows an authorized attacker to execute code over a network.


FAQ:

How could an attacker exploit the vulnerability?

An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.


According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56642
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Fabric Data Warehouse Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56642 Microsoft Red Team


CVE-2026-56643 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56643
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56643
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56643 Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


Azure Yang with Kunlun Lab


CVE-2026-56644 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56644
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56644
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56644 Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab


CVE-2026-54124 - Windows Terminal Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54124
MITRE
NVD
CVE Title: Windows Terminal Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Windows Terminal allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54124
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5095051 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Terminal for Windows 10 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Windows Terminal for Windows 11 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54124 Dhiraj Mishra


Daniel R


CVE-2026-56194 - Windows NFS Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56194
MITRE
NVD
CVE Title: Windows NFS Server Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Network File System allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56194
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56194 Brandon Fisher


Brandon Fisher


CVE-2026-56647 - Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56647
MITRE
NVD
CVE Title: Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows Remote Access Service Infrastructure allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56647
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56647 Anonymous


CVE-2026-56648 - Windows NFS Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56648
MITRE
NVD
CVE Title: Windows NFS Server Elevation of Privilege Vulnerability
Description:

Time-of-check time-of-use (toctou) race condition in Windows Network File System allows an authorized attacker to elevate privileges over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56648
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56648 k0shl


CVE-2026-56649 - Windows Network File System Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56649
MITRE
NVD
CVE Title: Windows Network File System Remote Code Execution Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56649
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 5.9
Temporal: 5.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56649 Linzishan & Anemone & Zhiniang Peng (HUST)


CVE-2026-57083 - Windows Media Photo Codec Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57083
MITRE
NVD
CVE Title: Windows Media Photo Codec Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57083
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57083 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-57084 - Windows File Explorer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57084
MITRE
NVD
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57084
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57084 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-56650 - Windows Network File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56650
MITRE
NVD
CVE Title: Windows Network File System Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Network File System allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56650
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56650 Anonymous


CVE-2026-57095 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57095
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57095
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57095 wxz & Thanatos Tian with Diffract


CVE-2026-57090 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57090
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57090
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57090 yhw & txz


CVE-2026-57094 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57094
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57094
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57094 yhw & txz


CVE-2026-57091 - Windows File History Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57091
MITRE
NVD
CVE Title: Windows File History Service Elevation of Privilege Vulnerability
Description:

Stack-based buffer overflow in Windows File History Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57091
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57091 AIフィジカルインターフェイス二号機


CVE-2026-57089 - Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57089
MITRE
NVD
CVE Title: Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability
Description:

Use after free in Windows SMB Server Network Transport Driver (srvnet.sys) allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57089
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57089 Microsoft


CVE-2026-57085 - Windows Print Spooler Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57085
MITRE
NVD
CVE Title: Windows Print Spooler Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

Successful exploitation could allow an attacker to read a limited amount of information from the affected system’s memory. This information would be restricted in scope and is not expected to expose large amounts of sensitive data.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57085
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57085 Noam Pomerantz with Cyberwallglobal


CVE-2026-57092 - Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57092
MITRE
NVD
CVE Title: Microsoft Windows VMSwitch Elevation of Privilege Vulnerability
Description:

Use after free in Windows VMSwitch allows an authorized attacker to elevate privileges over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could potentially gain elevated privileges on the host system beyond the guest virtual machine boundary.


How could an attacker exploit the vulnerability?

An attacker could exploit this vulnerability by running code in a guest virtual machine and sending a specially crafted network-related request to the host through the Hyper-V Virtual Switch. Under certain conditions, the request could cause the host to access memory that is no longer valid, potentially resulting in a denial of service or, in more severe cases, elevated privileges on the host system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57092
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Elevation of Privilege None Base: 9.9
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57092 Microsoft Offensive Research & Security Engineering


CVE-2026-57087 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57087
MITRE
NVD
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could attempt to exploit this vulnerability by convincing a user to open a specially crafted media file. If the vulnerable component processes the file, memory corruption could occur, which may allow code to run on the affected system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57087
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57087 yhw & txz


CVE-2026-57088 - Extensible Storage Engine (ESENT) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57088
MITRE
NVD
CVE Title: Extensible Storage Engine (ESENT) Elevation of Privilege Vulnerability
Description:

Improper access control in Extensible Storage Engine (ESENT) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain ELEVATED privileges, which may allow them to perform actions beyond their original permissions.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57088
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57088 Microsoft


CVE-2026-57093 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57093
MITRE
NVD
CVE Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description:

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57093
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57093 Soon with Microsoft


CVE-2026-57096 - Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57096
MITRE
NVD
CVE Title: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57096
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57096 Anonymous


CVE-2026-57101 - Visual Studio Code Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57101
MITRE
NVD
CVE Title: Visual Studio Code Security Feature Bypass Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57101
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Visual Studio Code Release Notes (Security Update) Important Security Feature Bypass None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57101 Ammar Askar


CVE-2026-57102 - Visual Studio Code Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57102
MITRE
NVD
CVE Title: Visual Studio Code Security Feature Bypass Vulnerability
Description:

Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57102
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Visual Studio Code Release Notes (Security Update) Important Security Feature Bypass None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57102 Rubin Ownz


CVE-2026-57108 - .NET Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57108
MITRE
NVD
CVE Title: .NET Denial of Service Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57108
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
.NET 10.0 installed on Linux 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 10.0 installed on Mac OS 5104034 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Linux 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Mac OS 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 8.0 installed on Windows 5104032 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Linux 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Mac OS 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
.NET 9.0 installed on Windows 5104033 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57108 41ae55e9310ff27fa6f26af4727e5590


CVE-2026-57968 - Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57968
MITRE
NVD
CVE Title: Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability
Description:

Buffer over-read in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57968
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Subsystem for Linux (WSL2) Release Notes (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57968 vurmusum


vurmusum


CVE-2026-57973 - Windows Subsystem for Linux (WSL2) Kernel Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57973
MITRE
NVD
CVE Title: Windows Subsystem for Linux (WSL2) Kernel Tampering Vulnerability
Description:

Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57973
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows Subsystem for Linux (WSL2) Release Notes (Security Update) Important Tampering None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57973 Kangjun Heo with Chungnam National University


Riddhimaan Singh


CVE-2026-57974 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57974
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability?

An attacker could attempt to trick a user into interacting with a malicious request that appears legitimate. When the user approves the request, the attacker could cause the app to obtain an access token on the user’s behalf and send it to a location controlled by the attacker, without the user being clearly informed about what access is being granted.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57974
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57974 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57975 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57975
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57975
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57975 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57977 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57977
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57977
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57977 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-57982 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57982
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an authorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57982
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57982 Sanil Singh Tomar with Microsoft


CVE-2026-57993 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-57993
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-57993
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 7.4
Temporal: 6.4
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-57993 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58277 - Microsoft SharePoint Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58277
MITRE
NVD
CVE Title: Microsoft SharePoint Elevation of Privilege Vulnerability
Description:

Improper authorization in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.


FAQ:

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58277
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58277 Rafael Resende


Rafael Resende


CVE-2026-58281 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58281
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58281
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58281 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58282 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58282
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58282
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58282 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58283 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58283
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58283
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58283 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58284 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58284
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58284
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58284 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58285 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58285
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58285
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58285 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58286 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58286
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58286
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58286 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58287 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58287
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58287
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58287 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58288 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58288
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58288
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58288 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58289 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58289
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58289
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 9.0
Temporal: 7.8
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58289 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58290 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58290
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58290
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58290 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58291 - Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58291
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description:

Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58291
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Information Disclosure None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58291 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58292 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58292
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L) and availability (A:L), and major loss of integrity (I:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability enables an attacker to access data and disrupt services at a medium integrity level, resulting in some loss of confidentiality and availability. However, because the attacker can execute arbitrary code at that level, the vulnerability poses a total loss of integrity, allowing for potentially significant data manipulation.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58292
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58292 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58293 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58293
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58293
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58293 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58294 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58294
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description:

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58294
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58294 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58295 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58295
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An unauthenticated attacker is able to bypass the expected user access.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58295
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Security Feature Bypass None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58295 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58296 - Microsoft Edge for Android Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58296
MITRE
NVD
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description:

Exposure of private personal information to an unauthorized actor in Microsoft Edge for Android allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58296
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58296 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58297 - Microsoft Edge for Android Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58297
MITRE
NVD
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description:

Exposure of private personal information to an unauthorized actor in Microsoft Edge for Android allows an unauthorized attacker to disclose information over a network.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58297
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58297 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58298 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58298
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58298
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 7.2
Temporal: 6.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58298 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58299 - Microsoft Edge for Android Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58299
MITRE
NVD
CVE Title: Microsoft Edge for Android Remote Code Execution Vulnerability
Description:

Time-of-check time-of-use (toctou) race condition in Microsoft Edge for Android allows an unauthorized attacker to execute code over a network.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58299
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Remote Code Execution None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58299 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58300 - Microsoft Edge for Android Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58300
MITRE
NVD
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description:

Absolute path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58300
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Information Disclosure None Base: 6.2
Temporal: 5.4
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58300 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58522 - Microsoft Edge for Android Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58522
MITRE
NVD
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description:

Relative path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58522
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58522 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58523 - Microsoft Edge for Android Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58523
MITRE
NVD
CVE Title: Microsoft Edge for Android Security Feature Bypass Vulnerability
Description:

Improper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An unauthenticated attacker is able to bypass the expected user access.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58523
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Security Feature Bypass None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58523 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58524 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58524
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58524
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58524 Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58525 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58525
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Description:

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An unauthenticated attacker is able to bypass the expected user access.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and some loss of integrity (I:L), but no loss of availability (A:N). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could view sensitive information, (Confidentiality), and make some changes to disclosed information (Integrity), but they would not be able to affect Availability.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.50 07/08/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-08T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58525
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Security Feature Bypass None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58525 Asaf Cohen with XBreach.ai


Kugelblitz with Microsoft


Kugelblitz with Microsoft


CVE-2026-58527 - Windows Runtime Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58527
MITRE
NVD
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58527
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58527 Anonymous


CVE-2026-58528 - Windows USB Audio Class Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58528
MITRE
NVD
CVE Title: Windows USB Audio Class Driver Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58528
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.8
Temporal: 5.9
Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58528 Jonghoi Kim


Donghyeon Oh with Patchpoint


CVE-2026-58530 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58530
MITRE
NVD
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58530
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58530 Donghyeon Oh with Patchpoint


Jonghoi Kim


R4nger with Kunlun Lab & Zhiniang Peng with HUST


CVE-2026-58538 - Windows Bluetooth Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58538
MITRE
NVD
CVE Title: Windows Bluetooth Service Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58538
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58538 Anonymous


Anonymous


Brandon Fisher


Brandon Fisher


CVE-2026-58533 - Windows Remote Desktop Client Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58533
MITRE
NVD
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58533
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58533 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-58535 - Windows Remote Desktop Client Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58535
MITRE
NVD
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58535
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58535 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-58546 - Windows Remote Desktop Client Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58546
MITRE
NVD
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description:

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58546
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58546 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-58539 - Windows Remote Desktop Client Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58539
MITRE
NVD
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description:

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58539
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Information Disclosure None Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58539 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


0ccbbf129444eb66344ccafb92b00df4


CVE-2026-58540 - Windows Installer Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58540
MITRE
NVD
CVE Title: Windows Installer Elevation of Privilege Vulnerability
Description:

Improper authorization in Windows Installer allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58540
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58540 JaGoTu with DCIT, a.s.


CVE-2026-58531 - Windows SMB Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58531
MITRE
NVD
CVE Title: Windows SMB Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB allows an authorized attacker to elevate privileges over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58531
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58531 grass341 with Viettel Cyber Security


CVE-2026-58532 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58532
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58532
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58532 aprilpet


CVE-2026-58537 - Microsoft NAT Helper Components (ipnathlp.dll) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58537
MITRE
NVD
CVE Title: Microsoft NAT Helper Components (ipnathlp.dll) Elevation of Privilege Vulnerability
Description:

Use after free in Microsoft NAT Helper Components (ipnathlp.dll) allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58537
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58537 Anonymous


CVE-2026-58534 - Windows Input Method Editor (IME) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58534
MITRE
NVD
CVE Title: Windows Input Method Editor (IME) Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58534
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58534 Pwnforr777


CVE-2026-58536 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58536
MITRE
NVD
CVE Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58536
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58536 Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd.


CVE-2026-58547 - Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58547
MITRE
NVD
CVE Title: Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability
Description:

Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58547
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58547 Q4n with Kunlun Lab


CVE-2026-58545 - Windows Kernel Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58545
MITRE
NVD
CVE Title: Windows Kernel Security Feature Bypass Vulnerability
Description:

Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58545
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58545 Microsoft


CVE-2026-58544 - Windows Management Services Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58544
MITRE
NVD
CVE Title: Windows Management Services Elevation of Privilege Vulnerability
Description:

Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58544
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58544 Anonymous


CVE-2026-58542 - Windows Media Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58542
MITRE
NVD
CVE Title: Windows Media Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58542
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58542 Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab


CVE-2026-58543 - Universal Print Management Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58543
MITRE
NVD
CVE Title: Universal Print Management Service Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58543
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58543 AIフィジカルインターフェイス二号機


CVE-2026-58541 - Microsoft DWM Core Library Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58541
MITRE
NVD
CVE Title: Microsoft DWM Core Library Elevation of Privilege Vulnerability
Description:

Access of resource using incompatible type ('type confusion') in Windows DWM allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58541
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58541 Varun Goel


yhw & txz


CVE-2026-58594 - Remote Desktop Client Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58594
MITRE
NVD
CVE Title: Remote Desktop Client Remote Code Execution Vulnerability
Description:

Integer overflow or wraparound in Windows RDP allows an unauthorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58594
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58594 Sanil Singh Tomar with Microsoft


CVE-2026-58596 - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58596
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Description:

Untrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.


FAQ:

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/11/2026 150.0.7871.47

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain the privileges of the authenticated user.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58596
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Important Elevation of Privilege None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58596 deepsleep


CVE-2026-58597 - Microsoft Edge (Chromium-based) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58597
MITRE
NVD
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description:

Insufficient ui warning of dangerous operations in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.


FAQ:

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Low Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58597
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Low Spoofing None Base: 4.3
Temporal: 3.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58597 Azza Tegar Naufal Ataullah


CVE-2026-13954 - Chromium: CVE-2026-13954 Insufficient policy enforcement in XML

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13954
MITRE
NVD
CVE Title: Chromium: CVE-2026-13954 Insufficient policy enforcement in XML
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13954
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13954 None

CVE-2026-13796 - Chromium: CVE-2026-13796 Integer overflow in Chromecast

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13796
MITRE
NVD
CVE Title: Chromium: CVE-2026-13796 Integer overflow in Chromecast
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:56    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13796
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13796 None

CVE-2026-13799 - Chromium: CVE-2026-13799 Use after free in QUIC

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13799
MITRE
NVD
CVE Title: Chromium: CVE-2026-13799 Use after free in QUIC
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13799
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13799 None

CVE-2026-13800 - Chromium: CVE-2026-13800 Inappropriate implementation in Updater

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13800
MITRE
NVD
CVE Title: Chromium: CVE-2026-13800 Inappropriate implementation in Updater
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:01    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13800
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13800 None

CVE-2026-13806 - Chromium: CVE-2026-13806 Insufficient validation of untrusted input in Accessibility

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13806
MITRE
NVD
CVE Title: Chromium: CVE-2026-13806 Insufficient validation of untrusted input in Accessibility
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:07    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13806
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13806 None

CVE-2026-13810 - Chromium: CVE-2026-13810 Inappropriate implementation in Input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13810
MITRE
NVD
CVE Title: Chromium: CVE-2026-13810 Inappropriate implementation in Input
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:08    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13810
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13810 None

CVE-2026-13811 - Chromium: CVE-2026-13811 Use after free in IME

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13811
MITRE
NVD
CVE Title: Chromium: CVE-2026-13811 Use after free in IME
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:10    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13811
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13811 None

CVE-2026-13815 - Chromium: CVE-2026-13815 Use after free in Blink

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13815
MITRE
NVD
CVE Title: Chromium: CVE-2026-13815 Use after free in Blink
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:12    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13815
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13815 None

CVE-2026-13818 - Chromium: CVE-2026-13818 Inappropriate implementation in Passwords

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13818
MITRE
NVD
CVE Title: Chromium: CVE-2026-13818 Inappropriate implementation in Passwords
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:14    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13818
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13818 None

CVE-2026-13814 - Chromium: CVE-2026-13814 Use after free in Views

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13814
MITRE
NVD
CVE Title: Chromium: CVE-2026-13814 Use after free in Views
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:30    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13814
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13814 None

CVE-2026-13817 - Chromium: CVE-2026-13817 Insufficient validation of untrusted input in Glic

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13817
MITRE
NVD
CVE Title: Chromium: CVE-2026-13817 Insufficient validation of untrusted input in Glic
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:13    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13817
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13817 None

CVE-2026-13821 - Chromium: CVE-2026-13821 Use after free in Canvas

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13821
MITRE
NVD
CVE Title: Chromium: CVE-2026-13821 Use after free in Canvas
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:17    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13821
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13821 None

CVE-2026-13820 - Chromium: CVE-2026-13820 Out of bounds read in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13820
MITRE
NVD
CVE Title: Chromium: CVE-2026-13820 Out of bounds read in Skia
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:16    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13820
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13820 None

CVE-2026-13823 - Chromium: CVE-2026-13823 Use after free in Glic

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13823
MITRE
NVD
CVE Title: Chromium: CVE-2026-13823 Use after free in Glic
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:18    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13823
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13823 None

CVE-2026-13824 - Chromium: CVE-2026-13824 Insufficient validation of untrusted input in Extensions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13824
MITRE
NVD
CVE Title: Chromium: CVE-2026-13824 Insufficient validation of untrusted input in Extensions
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:19    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13824
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13824 None

CVE-2026-13828 - Chromium: CVE-2026-13828 Inappropriate implementation in Enterprise

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13828
MITRE
NVD
CVE Title: Chromium: CVE-2026-13828 Inappropriate implementation in Enterprise
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:20    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13828
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13828 None

CVE-2026-13829 - Chromium: CVE-2026-13829 Insufficient validation of untrusted input in Settings

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13829
MITRE
NVD
CVE Title: Chromium: CVE-2026-13829 Insufficient validation of untrusted input in Settings
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:22    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13829
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13829 None

CVE-2026-13830 - Chromium: CVE-2026-13830 Use after free in Chromoting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13830
MITRE
NVD
CVE Title: Chromium: CVE-2026-13830 Use after free in Chromoting
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13830
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13830 None

CVE-2026-13831 - Chromium: CVE-2026-13831 Use after free in GPU

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13831
MITRE
NVD
CVE Title: Chromium: CVE-2026-13831 Use after free in GPU
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:24    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13831
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13831 None

CVE-2026-13834 - Chromium: CVE-2026-13834 Insufficient validation of untrusted input in ANGLE

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13834
MITRE
NVD
CVE Title: Chromium: CVE-2026-13834 Insufficient validation of untrusted input in ANGLE
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:27    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13834
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13834 None

CVE-2026-13832 - Chromium: CVE-2026-13832 Use after free in Headless

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13832
MITRE
NVD
CVE Title: Chromium: CVE-2026-13832 Use after free in Headless
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13832
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13832 None

CVE-2026-13836 - Chromium: CVE-2026-13836 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13836
MITRE
NVD
CVE Title: Chromium: CVE-2026-13836 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:30    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13836
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13836 None

CVE-2026-13835 - Chromium: CVE-2026-13835 Inappropriate implementation in XML

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13835
MITRE
NVD
CVE Title: Chromium: CVE-2026-13835 Inappropriate implementation in XML
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:28    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13835
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13835 None

CVE-2026-13837 - Chromium: CVE-2026-13837 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13837
MITRE
NVD
CVE Title: Chromium: CVE-2026-13837 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:31    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13837
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13837 None

CVE-2026-13838 - Chromium: CVE-2026-13838 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13838
MITRE
NVD
CVE Title: Chromium: CVE-2026-13838 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:32    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13838
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13838 None

CVE-2026-13839 - Chromium: CVE-2026-13839 Inappropriate implementation in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13839
MITRE
NVD
CVE Title: Chromium: CVE-2026-13839 Inappropriate implementation in CSS
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13839
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13839 None

CVE-2026-13840 - Chromium: CVE-2026-13840 Insufficient policy enforcement in Canvas

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13840
MITRE
NVD
CVE Title: Chromium: CVE-2026-13840 Insufficient policy enforcement in Canvas
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:35    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13840
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13840 None

CVE-2026-13841 - Chromium: CVE-2026-13841 Integer overflow in Skia

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13841
MITRE
NVD
CVE Title: Chromium: CVE-2026-13841 Integer overflow in Skia
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:36    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13841
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13841 None

CVE-2026-13844 - Chromium: CVE-2026-13844 Use after free in Updater

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13844
MITRE
NVD
CVE Title: Chromium: CVE-2026-13844 Use after free in Updater
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:37    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13844
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13844 None

CVE-2026-13845 - Chromium: CVE-2026-13845 Use after free in DOM

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-13845
MITRE
NVD
CVE Title: Chromium: CVE-2026-13845 Use after free in DOM
Description:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
150.0.4078.48 07/03/2026 150.0.7871.47

Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T07:00:33    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-13845
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-13845 None

CVE-2026-47305 - Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-47305
MITRE
NVD
CVE Title: Visual Studio Remote Code Execution Vulnerability
Description:

Protection mechanism failure in Visual Studio allows an unauthorized attacker to execute code locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-47305
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2026 version 18.7 Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-47305 Arun T


CVE-2026-58613 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58613
MITRE
NVD
CVE Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Description:

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58613
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58613 Marcin 'Icewall' Noga with Cisco Talos


Marcin 'Icewall' Noga with Cisco Talos


CVE-2026-58617 - M365 Copilot for iOS Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58617
MITRE
NVD
CVE Title: M365 Copilot for iOS Elevation of Privilege Vulnerability
Description:

Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.


FAQ:

According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58617
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Copilot for iOS Release Notes (Security Update) Important Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58617 Ofek Levin with Enclave


CVE-2026-58619 - Windows Sensor Data Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58619
MITRE
NVD
CVE Title: Windows Sensor Data Service Elevation of Privilege Vulnerability
Description:

Use after free in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58619
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58619 k0shl


k0shl


CVE-2026-58626 - Windows Remote Desktop Services Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58626
MITRE
NVD
CVE Title: Windows Remote Desktop Services Remote Code Execution Vulnerability
Description:

Use after free in Windows Remote Desktop Services allows an authorized attacker to execute code over a network.


FAQ:

How could an attacker exploit this vulnerability?

An authenticated attacker could exploit this vulnerability by connecting to a target system via Remote Desktop Protocol (RDP) and sending specially crafted requests that trigger a use-after-free condition in the Remote Desktop service, allowing the attacker to execute arbitrary code on the target system.


According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

An attacker must first have access to a Windows system as an authenticated user and then use that system to establish a connection to the target server and send the malicious data that triggers the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58626
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58626 Daniel R


CVE-2026-58627 - Windows DHCP Server Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58627
MITRE
NVD
CVE Title: Windows DHCP Server Denial of Service Vulnerability
Description:

Uncontrolled resource consumption in Windows DHCP Server allows an unauthorized attacker to deny service over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58627
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58627 Anil Lulla with Microsoft


CVE-2026-58628 - Windows Wireless Network Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58628
MITRE
NVD
CVE Title: Windows Wireless Network Manager Elevation of Privilege Vulnerability
Description:

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Wireless Networking allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58628
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58628 Arpit Gupta


CVE-2026-58629 - DirectX Graphics Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58629
MITRE
NVD
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description:

Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.


FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited the vulnerability could execute code in the kernel.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58629
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for ARM64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 23H2 for x64-based Systems 5099414 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58629 gengstah


Dung Do of Calif.io


CVE-2026-58632 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58632
MITRE
NVD
CVE Title: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
Description:

Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58632
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58632 Anonymous


CVE-2026-58633 - Desktop Window Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58633
MITRE
NVD
CVE Title: Desktop Window Manager Elevation of Privilege Vulnerability
Description:

Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58633
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58633 Seung Chan Kim


CVE-2026-58634 - Desktop Window Manager Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58634
MITRE
NVD
CVE Title: Desktop Window Manager Elevation of Privilege Vulnerability
Description:

Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58634
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58634 Varun Goel


CVE-2026-58637 - Windows Client-Side Caching Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58637
MITRE
NVD
CVE Title: Windows Client-Side Caching Elevation of Privilege Vulnerability
Description:

Use after free in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.


FAQ:

What privileges could be gained by an attacker who successfully exploited the vulnerability?

A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58637
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Elevation of Privilege None Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58637 z1r0


Byunghyun Kang with KAIST


CVE-2026-58638 - Windows Boot Loader Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58638
MITRE
NVD
CVE Title: Windows Boot Loader Security Feature Bypass Vulnerability
Description:

Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58638
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5099538 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5099539 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5099445 (Monthly Rollup) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5099444 (Monthly Rollup) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5099535 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5099535 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5099538 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5099538 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5099540 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Important Security Feature Bypass None Base: 6.0
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58638 Stas Lyakhov with Eclypsium


CVE-2026-56181 - Windows Network Address Translation (NAT) Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56181
MITRE
NVD
CVE Title: Windows Network Address Translation (NAT) Spoofing Vulnerability
Description:

Origin validation error in Windows Network Address Translation (NAT) allows an unauthorized attacker to perform spoofing over an adjacent network.


FAQ:

According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?

This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require machine-in-the-middle (MITM) type setups or that rely on initially gaining a foothold in another environment.


According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Moderate Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56181
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 24H2 for ARM64-based Systems 5101650 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 24H2 for x64-based Systems 5101650 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for ARM64-based Systems 5101650 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 25H2 for x64-based Systems 5101650 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 5099536 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2025 (Server Core installation) 5099536 (Security Update) Moderate Spoofing None Base: 8.3
Temporal: 7.2
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56181 Malcolm Stagg with SODIUM-24, LLC


CVE-2026-55121 - Microsoft Office Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55121
MITRE
NVD
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description:

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.


FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), no loss to integrity (I:N) and lead to some loss of availability (A:L). What is the impact of this vulnerability?

Successful exploitation of this vulnerability could allow an attacker to access limited sensitive information from system memory and may cause intermittent interruptions or reduced performance in the affected application. However, it would not allow the attacker to modify data.


What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send a user a malicious Office file and convince them to open it.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55121
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2016 (32-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002887 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office 365 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2024 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC for Mac 2024 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002891 (Security Update)
5002892 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002883 (Security Update)
5002885 (Security Update)
Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002882 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55121 Haein Lee


CVE-2026-58529 - Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58529
MITRE
NVD
CVE Title: Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability
Description:

Out-of-bounds read in Active Directory Federation Services (AD FS) allows an authorized attacker to disclose information over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58529
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 11 Version 26H1 for ARM64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes
Windows 11 version 26H1 for x64-based Systems 5101649 (Security Update) Important Information Disclosure None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58529 Anonymous


CVE-2026-53355 - net: rds: clear i_sends on setup unwind

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53355
MITRE
NVD
CVE Title: net: rds: clear i_sends on setup unwind
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-02T14:43:58    

Information published.


1.0    2026-07-02T01:03:30    

Information published.


3.0    2026-07-09T14:49:56    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53355
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53355 None

CVE-2026-53347 - drm/virtio: Fix driver removal with disabled KMS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53347
MITRE
NVD
CVE Title: drm/virtio: Fix driver removal with disabled KMS
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:04:20    

Information published.


2.0    2026-07-02T14:44:42    

Information published.


3.0    2026-07-09T14:50:12    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53347
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53347 None

CVE-2026-53343 - ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53343
MITRE
NVD
CVE Title: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:04:59    

Information published.


2.0    2026-07-02T14:45:20    

Information published.


3.0    2026-07-09T14:51:00    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53343
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.1
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53343 None

CVE-2026-53329 - drm/amd/display: Use krealloc_array() in dal_vector_reserve()

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53329
MITRE
NVD
CVE Title: drm/amd/display: Use krealloc_array() in dal_vector_reserve()
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-02T14:45:02    

Information published.


3.0    2026-07-09T14:50:35    

Information published.


1.0    2026-07-02T01:04:39    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53329
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.1
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53329 None

CVE-2026-53352 - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53352
MITRE
NVD
CVE Title: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:04:33    

Information published.


2.0    2026-07-02T14:44:55    

Information published.


3.0    2026-07-09T14:50:28    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53352
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53352 None

CVE-2026-53349 - netfilter: nf_conntrack: destroy stale expectfn expectations on unregister

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53349
MITRE
NVD
CVE Title: netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:04:46    

Information published.


2.0    2026-07-02T14:45:08    

Information published.


3.0    2026-07-09T14:50:45    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53349
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53349 None

CVE-2026-56149 - Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56149
MITRE
NVD
CVE Title: Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T01:02:04    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56149
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 rubygem-elasticsearch 8.9.0-1 on Azure Linux 3.0 Moderate Unknown None Base: 4.9
Temporal: 4.9
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56149 None

CVE-2026-14258 - Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14258
MITRE
NVD
CVE Title: Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-05T14:43:33    

Information published.


3.0    2026-07-06T14:45:18    

Information published.


1.0    2026-07-03T01:03:50    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14258
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 dhcpcd 10.0.8-2 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No
azl3 dhcpcd 10.0.8-4 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14258 None

CVE-2026-50721 - IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50721
MITRE
NVD
CVE Title: IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-04T01:03:02    

Information published.


2.0    2026-07-09T14:39:28    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50721
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 libreswan 4.15-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.1
Temporal: 8.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50721 None

CVE-2026-50722 - IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-50722
MITRE
NVD
CVE Title: IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-04T01:03:08    

Information published.


2.0    2026-07-09T14:39:37    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-50722
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 libreswan 4.15-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.1
Temporal: 8.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-50722 None

CVE-2026-9545 - exposing HTTP/3 early data

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-9545
MITRE
NVD
CVE Title: exposing HTTP/3 early data
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-07T01:41:09    

Information published.


3.0    2026-07-09T01:46:22    

Information published.


1.0    2026-07-04T01:04:22    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-9545
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 curl 8.11.1-9 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P
Unknown
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-9545 None

CVE-2026-12413 - IKEv2 Denial of Service via malformed fragmentation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-12413
MITRE
NVD
CVE Title: IKEv2 Denial of Service via malformed fragmentation
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-04T01:03:15    

Information published.


2.0    2026-07-09T14:39:45    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-12413
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 libreswan 4.15-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-12413 None

CVE-2026-8932 - incomplete mTLS config matching in conn reuse

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8932
MITRE
NVD
CVE Title: incomplete mTLS config matching in conn reuse
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-04T01:04:54    

Information published.


2.0    2026-07-07T01:41:30    

Information published.


3.0    2026-07-09T01:46:48    

Information published.


4.0    2026-07-12T14:47:57    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8932
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8932 None

CVE-2026-9547 - SSH improper host validation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-9547
MITRE
NVD
CVE Title: SSH improper host validation
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:46:35    

Information published.


3.0    2026-07-09T01:47:17    

Information published.


1.0    2026-07-04T01:05:15    

Information published.


Critical Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-9547
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Critical Unknown None Base: 9.1
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 Critical Unknown None Base: 9.1
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Critical Unknown None Base: 9.1
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Critical Unknown None Base: 9.1
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Critical Unknown None Base: 9.1
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Important Unknown None Base: 7.4
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-9547 None

CVE-2026-8458 - wrong reuse for different services

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8458
MITRE
NVD
CVE Title: wrong reuse for different services
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-04T01:06:19    

Information published.


2.0    2026-07-07T01:42:14    

Information published.


3.0    2026-07-07T14:41:25    

Information published.


4.0    2026-07-09T01:48:27    

Information published.


5.0    2026-07-12T14:48:23    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8458
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8458 None

CVE-2026-8924 - trailing dot domain super cookie

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8924
MITRE
NVD
CVE Title: trailing dot domain super cookie
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-07T01:41:55    

Information published.


3.0    2026-07-09T01:48:07    

Information published.


1.0    2026-07-04T01:05:58    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8924
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Important Unknown None Base: 9.1
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 Important Unknown None Base: 9.1
Temporal: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P
Unknown
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8924 None

CVE-2026-10536 - HTTP/2 stream-dependency tree UAF

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-10536
MITRE
NVD
CVE Title: HTTP/2 stream-dependency tree UAF
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
3.0    2026-07-09T01:48:59    

Information published.


3.1    2026-07-10T14:40:19    

Information published.


4.0    2026-07-12T14:49:23    

Information published.


1.0    2026-07-04T01:07:25    

Information published.


2.0    2026-07-07T01:42:55    

Information published.


3.2    2026-07-11T14:38:42    

Information published.


Low Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-10536
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Moderate Unknown None Base: 5.5
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 4.7
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-10536 None

CVE-2026-11856 - cross-origin Digest auth state leak

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-11856
MITRE
NVD
CVE Title: cross-origin Digest auth state leak
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:46:55    

Information published.


3.0    2026-07-09T01:47:43    

Information published.


1.0    2026-07-04T01:05:36    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-11856
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-11856 None

CVE-2026-8286 - wrong STARTTLS connection reuse

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8286
MITRE
NVD
CVE Title: wrong STARTTLS connection reuse
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
4.0    2026-07-12T14:49:04    

Information published.


1.0    2026-07-04T01:06:52    

Information published.


2.0    2026-07-07T01:42:34    

Information published.


3.0    2026-07-09T01:50:03    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8286
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Important Unknown None Base: 8.1
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.1
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8286 None

CVE-2026-8926 - password leak with netrc and user in URL

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8926
MITRE
NVD
CVE Title: password leak with netrc and user in URL
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-07T01:43:09    

Information published.


1.0    2026-07-04T01:07:40    

Information published.


3.0    2026-07-09T01:49:37    

Information published.


3.1    2026-07-10T14:40:29    

Information published.


4.0    2026-07-12T14:49:44    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8926
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.9
Temporal: 5.6
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Critical Unknown None Base: 9.1
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8926 None

CVE-2026-9080 - UAF after pause in socket callback

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-9080
MITRE
NVD
CVE Title: UAF after pause in socket callback
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-04T01:07:52    

Information published.


2.0    2026-07-07T01:43:20    

Information published.


3.0    2026-07-09T01:49:11    

Information published.


Low Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-9080
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-9080 None

CVE-2026-8925 - SASL double-free

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8925
MITRE
NVD
CVE Title: SASL double-free
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:47:19    

Information published.


1.0    2026-07-04T01:08:05    

Information published.


3.0    2026-07-09T01:49:49    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8925
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.9
Temporal: 5.9
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Moderate Unknown None Base: 5.9
Temporal: 5.9
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Moderate Unknown None Base: 5.9
Temporal: 5.9
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8925 None

CVE-2026-53362 - ipv6: account for fraggap on the paged allocation path

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53362
MITRE
NVD
CVE Title: ipv6: account for fraggap on the paged allocation path
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:47:38    

Information published.


1.0    2026-07-05T01:03:10    

Information published.


3.0    2026-07-08T14:47:02    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53362
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.3
Temporal: 7.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53362 None

CVE-2026-53359 - KVM: x86: Fix shadow paging use-after-free due to unexpected role

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53359
MITRE
NVD
CVE Title: KVM: x86: Fix shadow paging use-after-free due to unexpected role
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-05T01:03:16    

Information published.


2.0    2026-07-07T14:41:35    

Information published.


3.0    2026-07-08T14:47:09    

Information published.


4.0    2026-07-09T01:50:15    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53359
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.0
Temporal: 7.0
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53359 None

CVE-2026-14355 - ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14355
MITRE
NVD
CVE Title: ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:47:27    

Information published.


1.0    2026-07-05T01:02:57    

Information published.


3.0    2026-07-09T01:50:09    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14355
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssl 3.3.7-3 on Azure Linux 3.0 Moderate Unknown None Base: 5.6
Temporal: 5.6
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Unknown
azl3 php 8.3.31-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.6
Temporal: 5.6
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14355 None

CVE-2026-53361 - af_unix: Set gc_in_progress to true in unix_gc().

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53361
MITRE
NVD
CVE Title: af_unix: Set gc_in_progress to true in unix_gc().
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:47:33    

Information published.


1.0    2026-07-05T01:03:04    

Information published.


3.0    2026-07-08T14:46:54    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53361
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 4.5
Temporal: 4.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53361 None

CVE-2026-55952 - TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55952
MITRE
NVD
CVE Title: TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-07T01:01:15    

Information published.


2.0    2026-07-09T01:50:21    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55952
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 erlang 26.2.5.21-2 on Azure Linux 3.0 Important Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55952 None

CVE-2026-54886 - SSH SFTP server denial of service via extended channel data infinite loop

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54886
MITRE
NVD
CVE Title: SSH SFTP server denial of service via extended channel data infinite loop
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-11T01:40:30    

Information published.


1.0    2026-07-07T01:01:22    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54886
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 erlang 26.2.5.21-2 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54886 None

CVE-2026-12480 - Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-12480
MITRE
NVD
CVE Title: Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-14T01:38:59    

Information published.


1.0    2026-07-07T01:01:38    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-12480
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 keras 3.3.3-7 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-12480 None

CVE-2026-14647 - onnx onnxruntime old.cc convPoolShapeInference_opset19 out-of-bounds

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14647
MITRE
NVD
CVE Title: onnx onnxruntime old.cc convPoolShapeInference_opset19 out-of-bounds
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-07T01:01:44    

Information published.


Low Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14647
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 pytorch 2.2.2-15 on Azure Linux 3.0 Low Unknown None Base: 4.3
Temporal: 3.9
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14647 None

CVE-2026-59997 - internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59997
MITRE
NVD
CVE Title: internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:01:15    

Information published.


2.0    2026-07-12T14:50:41    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59997
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 4.2
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59997 None

CVE-2026-59996 - scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59996
MITRE
NVD
CVE Title: scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-12T14:50:58    

Information published.


1.0    2026-07-09T01:01:22    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59996
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 4.2
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59996 None

CVE-2026-59995 - sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59995
MITRE
NVD
CVE Title: sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:01:28    

Information published.


2.0    2026-07-12T14:51:17    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59995
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 4.2
Temporal: 4.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59995 None

CVE-2026-60001 - sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-60001
MITRE
NVD
CVE Title: sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:01:35    

Information published.


2.0    2026-07-12T14:51:37    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-60001
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-60001 None

CVE-2026-60000 - sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-60000
MITRE
NVD
CVE Title: sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:01:41    

Information published.


2.0    2026-07-12T14:51:55    

Information published.


Low Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-60000
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Low Unknown None Base: 3.7
Temporal: 3.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-60000 None

CVE-2026-59999 - In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59999
MITRE
NVD
CVE Title: In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:01:47    

Information published.


2.0    2026-07-12T14:52:14    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59999
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.9
Temporal: 5.9
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59999 None

CVE-2026-60002 - ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-60002
MITRE
NVD
CVE Title: ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:01:53    

Information published.


2.0    2026-07-12T14:52:35    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-60002
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.7
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-60002 None

CVE-2026-56002 - libXfont2 PCF Font Parsing Heap Buffer Overflow

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56002
MITRE
NVD
CVE Title: libXfont2 PCF Font Parsing Heap Buffer Overflow
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:13    

Information published.


2.0    2026-07-12T14:53:31    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56002
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 libXfont2 2.0.6-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.5
Temporal: 7.8
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56002 None

CVE-2026-56000 - xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent()

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56000
MITRE
NVD
CVE Title: xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent()
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:26    

Information published.


2.0    2026-07-11T01:08:33    

Information published.


3.0    2026-07-12T14:54:03    

Information published.


Critical Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56000
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 wayland 1.22.0-1 on Azure Linux 3.0 Critical Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown
azl3 xorg-x11-server-Xwayland 24.1.12-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56000 None

CVE-2026-38968 - ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-38968
MITRE
NVD
CVE Title: ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:45    

Information published.


Critical Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-38968
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 ntopng 5.2.1-6 on Azure Linux 3.0 Critical Unknown None Base: 9.8
Temporal: 9.0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-38968 None

CVE-2026-38969 - ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-38969
MITRE
NVD
CVE Title: ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:55    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-38969
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 ruby 3.3.5-8 on Azure Linux 3.0 Moderate Unknown None Base: 7.5
Temporal: 6.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U
Unknown
azl3 rubygem-webrick 1.8.1-3 on Azure Linux 3.0 Moderate Unknown None Base: 7.5
Temporal: 6.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-38969 None

CVE-2026-54908 - Pion DTLS: Denial of service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54908
MITRE
NVD
CVE Title: Pion DTLS: Denial of service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-11T01:41:05    

Information published.


1.0    2026-07-09T01:03:02    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54908
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54908 None

CVE-2026-56288 - NULL Pointer Dereference in GNU patch

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56288
MITRE
NVD
CVE Title: NULL Pointer Dereference in GNU patch
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-10T01:01:37    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56288
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kpatch 0.9.8-3 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown
azl3 patch 2.7.6-9 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56288 None

CVE-2026-59856 - Vim: Arbitrary Code Execution via PHP Omni-Completion

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59856
MITRE
NVD
CVE Title: Vim: Arbitrary Code Execution via PHP Omni-Completion
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:16    

Information published.


2.0    2026-07-12T14:55:22    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59856
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 vim 9.2.0735-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.8
Temporal: 7.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59856 None

CVE-2026-20214 - ClamAV FSG File Format Processing Out-of-Bounds Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20214
MITRE
NVD
CVE Title: ClamAV FSG File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:29    

Information published.


2.0    2026-07-12T14:56:03    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20214
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20214 None

CVE-2026-20215 - ClamAV 7Zip File Format Processing Out-of-Bounds Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20215
MITRE
NVD
CVE Title: ClamAV 7Zip File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:35    

Information published.


2.0    2026-07-12T14:56:22    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20215
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20215 None

CVE-2026-20216 - ClamAV InstallShield File Format Processing Resource Exhaustion Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20216
MITRE
NVD
CVE Title: ClamAV InstallShield File Format Processing Resource Exhaustion Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:41    

Information published.


2.0    2026-07-12T14:56:40    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20216
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20216 None

CVE-2026-20217 - ClamAV PESpin File Format Processing Out-of-Bounds Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20217
MITRE
NVD
CVE Title: ClamAV PESpin File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:47    

Information published.


2.0    2026-07-12T14:56:58    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20217
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20217 None

CVE-2026-20244 - ClamAV DMG File Processing Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20244
MITRE
NVD
CVE Title: ClamAV DMG File Processing Denial of Service Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-12T14:57:41    

Information published.


1.0    2026-07-11T01:02:00    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20244
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20244 None

CVE-2026-59998 - sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59998
MITRE
NVD
CVE Title: sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:02:59    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59998
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 openssh 9.8p1-8 on Azure Linux 3.0 Moderate Unknown None Base: 4.8
Temporal: 4.8
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59998 None

CVE-2026-14380 - DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14380
MITRE
NVD
CVE Title: DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:06:39    

Information published.


2.0    2026-07-12T14:58:35    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14380
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 perl-DBI 1.643-5 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.8
Temporal: 8.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14380 None

CVE-2026-14740 - DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14740
MITRE
NVD
CVE Title: DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:06:45    

Information published.


2.0    2026-07-12T14:58:52    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14740
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 perl-DBI 1.643-5 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 9.1
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14740 None

CVE-2026-59926 - Mistune: XSS via unescaped class option in Admonition directive

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59926
MITRE
NVD
CVE Title: Mistune: XSS via unescaped class option in Admonition directive
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:06:59    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59926
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 Moderate Unknown None Base: 6.1
Temporal: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59926 None

CVE-2026-59925 - inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59925
MITRE
NVD
CVE Title: inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:07:05    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59925
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59925 None

CVE-2026-59930 - Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` content

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59930
MITRE
NVD
CVE Title: Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` content
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:07:18    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59930
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 Moderate Unknown None Base: 4.3
Temporal: 4.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59930 None

CVE-2026-59890 - setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59890
MITRE
NVD
CVE Title: setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-13T14:40:57    

Information published.


1.0    2026-07-11T01:07:37    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59890
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python3 3.12.9-13 on Azure Linux 3.0 Moderate Unknown None Base: 6.1
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Unknown
azl3 python-pip 24.2-9 on Azure Linux 3.0 Moderate Unknown None Base: 6.1
Temporal: 5.6
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U
Unknown
azl3 python-setuptools 69.0.3-5 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 6.1
Temporal: 5.6
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U
No
azl3 python-virtualenv 20.36.1-5 on Azure Linux 3.0 Moderate Unknown None Base: 6.1
Temporal: 5.6
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Moderate Unknown None Base: 6.1
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59890 None

CVE-2026-58207 - NATS Server: Remote crash via integer overflow in Connz pagination

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58207
MITRE
NVD
CVE Title: NATS Server: Remote crash via integer overflow in Connz pagination
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:07:49    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58207
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Important Unknown None Base: 7.7
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58207 None

CVE-2026-58251 - NATS Server: Queue Subscribe Authz Bypass

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58251
MITRE
NVD
CVE Title: NATS Server: Queue Subscribe Authz Bypass
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:07:55    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58251
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Moderate Unknown None Base: 6.5
Temporal: 6.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58251 None

CVE-2026-58208 - NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58208
MITRE
NVD
CVE Title: NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:08:02    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58208
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Moderate Unknown None Base: 6.8
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58208 None

CVE-2026-58252 - NATS Server: Subscribe Authz Bypass via Wildcard-Overlap

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58252
MITRE
NVD
CVE Title: NATS Server: Subscribe Authz Bypass via Wildcard-Overlap
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:08:14    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58252
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Moderate Unknown None Base: 6.5
Temporal: 6.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58252 None

CVE-2026-58209 - NATS Server: MQTT retained and QoS replay bypass subscribe deny filters

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58209
MITRE
NVD
CVE Title: NATS Server: MQTT retained and QoS replay bypass subscribe deny filters
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:08:20    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58209
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Moderate Unknown None Base: 4.3
Temporal: 4.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58209 None

CVE-2026-58253 - NATS Server: Route API Auth Bypass

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58253
MITRE
NVD
CVE Title: NATS Server: Route API Auth Bypass
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:08:26    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58253
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Important Unknown None Base: 8.8
Temporal: 8.1
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58253 None

CVE-2026-40468 - Heap buffer overflow in gawk

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40468
MITRE
NVD
CVE Title: Heap buffer overflow in gawk
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T01:01:35    

Information published.


Low Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40468
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 gawk 5.2.2-1 on Azure Linux 3.0 Low Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40468 None

CVE-2026-53354 - arm64: errata: Mitigate TLBI errata on various Arm CPUs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53354
MITRE
NVD
CVE Title: arm64: errata: Mitigate TLBI errata on various Arm CPUs
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:03:11    

Information published.


2.0    2026-07-02T14:43:39    

Information published.


3.0    2026-07-09T01:44:00    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53354
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 Important Unknown None Base: 7.1
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53354 None

CVE-2026-41579 - runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-41579
MITRE
NVD
CVE Title: runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:03:03    

Information published.


2.0    2026-07-05T14:42:07    

Information published.


Low Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-41579
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 runc 1.3.3-2 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Low Unknown None Base: 3.3
Temporal: 3.3
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-41579 None

CVE-2026-53345 - KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53345
MITRE
NVD
CVE Title: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:03:18    

Information published.


2.0    2026-07-02T14:43:46    

Information published.


3.0    2026-07-09T01:44:09    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53345
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53345 None

CVE-2026-53332 - slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53332
MITRE
NVD
CVE Title: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-02T14:44:05    

Information published.


1.0    2026-07-02T01:03:36    

Information published.


3.0    2026-07-09T01:44:16    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53332
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53332 None

CVE-2026-53336 - nvmem: layouts: onie-tlv: fix hang on unknown types

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53336
MITRE
NVD
CVE Title: nvmem: layouts: onie-tlv: fix hang on unknown types
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:03:55    

Information published.


2.0    2026-07-02T14:44:24    

Information published.


3.0    2026-07-09T01:44:34    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53336
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53336 None

CVE-2026-53327 - debugobjects: Do not fill_pool() if pi_blocked_on

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53327
MITRE
NVD
CVE Title: debugobjects: Do not fill_pool() if pi_blocked_on
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-02T14:44:11    

Information published.


1.0    2026-07-02T01:03:43    

Information published.


3.0    2026-07-08T14:44:19    

Information published.


4.0    2026-07-09T01:44:25    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53327
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53327 None

CVE-2026-53337 - net: bonding: fix NULL pointer dereference in bond_do_ioctl()

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53337
MITRE
NVD
CVE Title: net: bonding: fix NULL pointer dereference in bond_do_ioctl()
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-02T14:44:17    

Information published.


1.0    2026-07-02T01:03:49    

Information published.


3.0    2026-07-09T14:50:04    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53337
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53337 None

CVE-2026-53356 - drm/i915/gem: Fix phys BO pread/pwrite with offset

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53356
MITRE
NVD
CVE Title: drm/i915/gem: Fix phys BO pread/pwrite with offset
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:04:52    

Information published.


2.0    2026-07-02T14:45:14    

Information published.


3.0    2026-07-09T14:50:52    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53356
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.1
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53356 None

CVE-2026-53353 - hsr: Remove WARN_ONCE() in hsr_addr_is_self().

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53353
MITRE
NVD
CVE Title: hsr: Remove WARN_ONCE() in hsr_addr_is_self().
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:04:26    

Information published.


2.0    2026-07-02T14:44:49    

Information published.


3.0    2026-07-09T14:50:20    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53353
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53353 None

CVE-2026-53339 - i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53339
MITRE
NVD
CVE Title: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-02T01:05:05    

Information published.


2.0    2026-07-02T14:45:26    

Information published.


3.0    2026-07-09T01:45:03    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53339
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.5
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53339 None

CVE-2026-49090 - Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-49090
MITRE
NVD
CVE Title: Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T01:01:57    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-49090
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 rubygem-elasticsearch 8.9.0-1 on Azure Linux 3.0 Moderate Unknown None Base: 6.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-49090 None

CVE-2026-53357 - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-53357
MITRE
NVD
CVE Title: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-03T01:02:18    

Information published.


2.0    2026-07-09T14:38:55    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-53357
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.9
Temporal: 5.9
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-53357 None

CVE-2026-9079 - stale proxy password leak

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-9079
MITRE
NVD
CVE Title: stale proxy password leak
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:46:14    

Information published.


4.0    2026-07-12T14:47:37    

Information published.


1.0    2026-07-04T01:04:07    

Information published.


3.0    2026-07-09T01:46:04    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-9079
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Important Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Important Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Important Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Important Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-9079 None

CVE-2026-8927 - env-set cross-proxy Digest auth state leak

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-8927
MITRE
NVD
CVE Title: env-set cross-proxy Digest auth state leak
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:45:49    

Information published.


3.0    2026-07-09T01:49:26    

Information published.


1.0    2026-07-04T01:03:49    

Information published.


4.0    2026-07-12T14:47:16    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-8927
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 cmake 3.30.3-14 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
No
azl3 mysql 8.0.46-1 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.75.0-30 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown
azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-8927 None

CVE-2026-12064 - proto-default skips SSH verification

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-12064
MITRE
NVD
CVE Title: proto-default skips SSH verification
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
2.0    2026-07-06T14:47:07    

Information published.


3.0    2026-07-09T01:48:39    

Information published.


4.0    2026-07-12T14:48:43    

Information published.


1.0    2026-07-04T01:06:31    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-12064
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 curl 8.11.1-9 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.4
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
No
azl3 rust 1.75.0-30 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unknown
azl3 rust 1.90.0-9 on Azure Linux 3.0 Important Unknown None Base: 7.4
Temporal: 7.4
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-12064 None

CVE-2026-54891 - Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-54891
MITRE
NVD
CVE Title: Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-07T01:01:28    

Information published.


2.0    2026-07-09T01:50:30    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-54891
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 erlang 26.2.5.21-2 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-54891 None

CVE-2026-56001 - libXfont2 BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56001
MITRE
NVD
CVE Title: libXfont2 BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:00    

Information published.


2.0    2026-07-12T14:52:55    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56001
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 libXfont2 2.0.6-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.5
Temporal: 7.8
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56001 None

CVE-2026-56003 - libXfont2 computeProps Property Buffer Heap Buffer Overflow

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56003
MITRE
NVD
CVE Title: libXfont2 computeProps Property Buffer Heap Buffer Overflow
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:07    

Information published.


2.0    2026-07-12T14:53:12    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56003
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 libXfont2 2.0.6-1 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.5
Temporal: 7.8
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56003 None

CVE-2026-55999 - xorg-server / xwayland glamor font atlas Heap Buffer Overflow

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55999
MITRE
NVD
CVE Title: xorg-server / xwayland glamor font atlas Heap Buffer Overflow
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:20    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55999
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 wayland 1.22.0-1 on Azure Linux 3.0 Important Unknown None Base: 8.5
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55999 None

CVE-2026-14191 - WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14191
MITRE
NVD
CVE Title: WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-09T01:02:39    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14191
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 Important Unknown None Base: 7.8
Temporal: 7.1
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14191 None

CVE-2026-59818 - etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59818
MITRE
NVD
CVE Title: etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-10T01:01:17    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59818
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 etcd 3.5.30-2 on Azure Linux 3.0 Moderate Unknown None Base: 6.5
Temporal: 6.0
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59818 None

CVE-2026-56289 - Loop with Unreachable Exit Condition in GNU patch

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-56289
MITRE
NVD
CVE Title: Loop with Unreachable Exit Condition in GNU patch
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-10T01:01:27    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-56289
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 kpatch 0.9.8-3 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown
azl3 patch 2.7.6-9 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-56289 None

CVE-2026-20213 - ClamAV PE File Format Processing Out-of-Bounds Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20213
MITRE
NVD
CVE Title: ClamAV PE File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:22    

Information published.


2.0    2026-07-12T14:55:43    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20213
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20213 None

CVE-2026-20243 - ClamAV ALZ Archive Processing Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-20243
MITRE
NVD
CVE Title: ClamAV ALZ Archive Processing Denial of Service Vulnerability
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:01:53    

Information published.


2.0    2026-07-12T14:57:23    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-20243
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 clamav 1.5.2-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-20243 None

CVE-2026-14461 - Out-of-bound read in mtr

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14461
MITRE
NVD
CVE Title: Out-of-bound read in mtr
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:04:28    

Information published.


2.0    2026-07-14T01:39:17    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14461
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 mtr 0.95-3 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14461 None

CVE-2026-14739 - DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-14739
MITRE
NVD
CVE Title: DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:06:33    

Information published.


2.0    2026-07-12T14:58:16    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-14739
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 perl-DBI 1.643-5 on Azure Linux 3.0 CBL-Mariner Releases (Security Update) Important Unknown None Base: 8.6
Temporal: 7.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U
No

Acknowledgements

CVE ID Acknowledgements
CVE-2026-14739 None

CVE-2026-59928 - Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59928
MITRE
NVD
CVE Title: Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:06:53    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59928
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59928 None

CVE-2026-59922 - Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59922
MITRE
NVD
CVE Title: Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:07:11    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59922
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59922 None

CVE-2026-59869 - js-yaml: YAML merge-key chains can force quadratic CPU consumption

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59869
MITRE
NVD
CVE Title: js-yaml: YAML merge-key chains can force quadratic CPU consumption
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:07:43    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59869
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python-tensorboard 2.16.2-6 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59869 None

CVE-2026-58250 - NATS Server: Pre-auth server crash via double INFO in leafnode handshake

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-58250
MITRE
NVD
CVE Title: NATS Server: Pre-auth server crash via double INFO in leafnode handshake
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-11T01:08:08    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-58250
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 telegraf 1.31.0-23 on Azure Linux 3.0 Moderate Unknown None Base: 7.5
Temporal: 6.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-58250 None

CVE-2026-15308 - Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-15308
MITRE
NVD
CVE Title: Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-12T01:01:27    

Information published.


2.0    2026-07-13T14:41:16    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-15308
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 python3 3.12.9-13 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-15308 None

CVE-2026-59871 - node-tar: Process crash via PAX numeric path type confusion

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59871
MITRE
NVD
CVE Title: node-tar: Process crash via PAX numeric path type confusion
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-12T01:01:34    

Information published.


2.0    2026-07-13T14:41:21    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59871
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 tar 1.35-2 on Azure Linux 3.0 Moderate Unknown None Base: 5.3
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59871 None

CVE-2026-59873 - node-tar: Decompression/parse DoS via unlimited input

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59873
MITRE
NVD
CVE Title: node-tar: Decompression/parse DoS via unlimited input
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-12T01:01:40    

Information published.


2.0    2026-07-13T14:41:27    

Information published.


Critical Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59873
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 tar 1.35-2 on Azure Linux 3.0 Critical Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59873 None

CVE-2026-59874 - node-tar: Negative tar entry size causes infinite loop in archive replace

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-59874
MITRE
NVD
CVE Title: node-tar: Negative tar entry size causes infinite loop in archive replace
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-12T01:01:47    

Information published.


2.0    2026-07-13T14:41:33    

Information published.


Important Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-59874
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 tar 1.35-2 on Azure Linux 3.0 Important Unknown None Base: 7.5
Temporal: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-59874 None

CVE-2026-40553 - Stack-based buffer overflow in gawk

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40553
MITRE
NVD
CVE Title: Stack-based buffer overflow in gawk
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T01:01:22    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40553
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 gawk 5.2.2-1 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40553 None

CVE-2026-40469 - Heap buffer overflow in gawk

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40469
MITRE
NVD
CVE Title: Heap buffer overflow in gawk
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T01:01:29    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40469
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 gawk 5.2.2-1 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40469 None

CVE-2026-40467 - Use after free in gawk

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-40467
MITRE
NVD
CVE Title: Use after free in gawk
Description:
Unknown
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T01:01:41    

Information published.


Moderate Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-40467
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
azl3 gawk 5.2.2-1 on Azure Linux 3.0 Moderate Unknown None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2026-40467 None

CVE-2026-55005 - Microsoft Exchange Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55005
MITRE
NVD
CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Description:

Heap-based buffer overflow in Microsoft Exchange Server allows an authorized attacker to execute code over a network.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55005
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 23 5103215 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 14 5103214 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 15 5103213 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server Subscription Edition RTM 5103212 (Security Update) Important Remote Code Execution None Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55005 kunlun Lab & GLM


kunlun Lab & GLM


CVE-2026-55006 - Microsoft Exchange Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55006
MITRE
NVD
CVE Title: Microsoft Exchange Server Elevation of Privilege Vulnerability
Description:

Insufficient granularity of access control in Microsoft Exchange Server allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55006
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 23 5103215 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 14 5103214 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 15 5103213 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server Subscription Edition RTM 5103212 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55006 MARIOS GYFTOS


CVE-2026-55008 - Microsoft Exchange Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55008
MITRE
NVD
CVE Title: Microsoft Exchange Server Spoofing Vulnerability
Description:

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.


FAQ:

How could an attacker exploit this vulnerability?

An attacker could exploit this issue by sending a specifically crafted malicious email to the user. If the user opens this email, in Outlook Web Access, and certain conditions are met, arbitrary execution of JavaScript would occur in the browser context.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Critical Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55008
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 23 5103215 (Security Update) Critical Spoofing None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 14 5103214 (Security Update) Critical Spoofing None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 15 5103213 (Security Update) Critical Spoofing None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server Subscription Edition RTM 5103212 (Security Update) Critical Spoofing None Base: 9.6
Temporal: 8.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55008 Michael Maturi with Google


CVE-2026-55009 - Microsoft Exchange Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2026-55009
MITRE
NVD
CVE Title: Microsoft Exchange Server Elevation of Privilege Vulnerability
Description:

Deserialization of untrusted data in Microsoft Exchange Server allows an authorized attacker to elevate privileges locally.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2026-07-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2026-55009
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 23 5103215 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 14 5103214 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 15 5103213 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server Subscription Edition RTM 5103212 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2026-55009 Anonymous