The July 14, 2026 security updates from Microsoft patch a vulnerability in Windows Secure Channel that lets an unauthenticated attacker trigger a denial of service over a network. The flaw, tracked as CVE-2026-44806, requires no user interaction or privileges—just network access to a system that processes TLS traffic. While Microsoft rates the issue moderate at CVSS 5.3, its remote exploitability makes it a priority for any organization running Windows servers exposed to the internet.

What the July 14 Patch Actually Fixes

At its core, CVE-2026-44806 is a memory leak in Windows Cryptographic Services—part of the Schannel security support provider that handles SSL and TLS encryption. Microsoft’s advisory classifies it under CWE-401 (Missing Release of Memory after Effective Lifetime). When a remote attacker sends specially crafted packets, the system fails to free memory that is no longer needed. Over time, or through repeated attacks, this resource exhaustion can degrade performance or crash the affected service entirely. No data is stolen, and no code is executed—this is purely a denial-of-service condition.

The fix arrives via the July 2026 cumulative updates. Windows automatically integrates Schannel fixes into the monthly rollup, so you won’t find a standalone patch. The corrected builds and their associated KB identifiers are:

  • Windows 10 version 1607 / Windows Server 2016: KB5099535 (build 14393.9339)
  • Windows 10 version 1809 / Windows Server 2019: KB5099538 (build 17763.9020)
  • Windows 10 versions 21H2 and 22H2: KB5099539 (builds 19044.7548 and 19045.7548)
  • Windows Server 2022: KB5099540 (build 20348.5386)
  • Windows 11 versions 24H2 and 25H2: KB5101650 (builds 26100.8875 and 26200.8875)
  • Windows 11 version 26H1: KB5101649 (build 28000.2525)
  • Windows Server 2025 is fixed at build 26100.33158
  • Extended Security Update (ESU) packages are available for Windows Server 2012, 2012 R2, and Windows 10 22H2 beyond end of support

One notable omission: Windows 11 version 23H2 does not appear in the CVE’s affected-product list, even though it received the July cumulative update KB5099414. Microsoft’s per-CVE applicability data should guide your patching decisions—don’t assume every update carried this fix.

Installation isn’t without caveats. The same July updates may trigger a BitLocker recovery prompt on some managed devices with an unusual PCR7 Group Policy configuration, particularly when Secure Boot reports “PCR7 Binding Not Possible.” They also enforce registration requirements for third-party Transport Driver Interface transports, meaning legacy software that uses sockets over an unregistered TDI transport might stop working. Both issues are documented by Microsoft and should be tested in a pilot ring before broad deployment.

What It Means for You

The severity of CVE-2026-44806 depends on how and where you run Windows. Let’s break it down.

For Everyday Windows Users

If your PC sits behind a router’s firewall and you don’t run an internet-facing server, the immediate risk is low. An attacker would need to reach your device directly on a network port that uses Schannel—a scenario unlikely for most home networks. Still, any device can become a target if you connect to hostile networks (think coffee-shop Wi-Fi). The fix will install automatically through Windows Update if you haven’t deferred updates. Let it.

For Power Users and IT Administrators

This vulnerability is most dangerous on systems that terminate TLS connections from untrusted sources. That includes:

  • Web servers using IIS with HTTPS
  • VPN gateways employing Windows RRAS or SSTP
  • Exchange servers with Outlook on the web
  • Remote Desktop Services gateways
  • Domain controllers accepting LDAPS or Schannel-authenticated traffic

Because no credentials or user interaction are required, a single exposed server is a sitting duck. Attackers can scan the internet for Windows machines, then send crafted packets that gradually chew through memory until the service chokes. Microsoft’s vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) says it all: network-accessible, low attack complexity, no privilege needed, and no user interaction. The “low” availability impact might make you yawn, but for a service hosting critical operations, even a temporary outage can be catastrophic.

Internal servers aren’t safe either. If an infected endpoint or a guest on a BYOD network can reach an internal Schannel-based service, a denial-of-service becomes a lateral-movement tool. Imagine an attacker taking down the company’s internal certificate distribution point or a key database server—disruption without touching credentials.

Microsoft has not released a workaround. Network filtering can reduce exposure, but it can’t inspect encrypted TLS payloads to block the malicious packets. The only reliable defense is the update.

How We Got Here

Schannel is the Windows implementation of TLS and SSL, responsible for encrypting everything from HTTPS traffic to RDP sessions. It’s a foundational piece of Windows security, and like any complex software, it’s prone to memory-management bugs. In 2014, a critical remote-code-execution flaw in Schannel (MS14-066) prompted emergency patching. While CVE-2026-44806 is far less severe, it follows a familiar pattern: a mistake in resource handling that allows an unauthenticated attacker to degrade service availability.

Memory leaks in cryptographic libraries are particularly insidious because they’re often triggered by routine network operations. An attacker doesn’t need to find a rare edge case—they just need to send protocol messages that the system mishandles. Microsoft hasn’t disclosed the exact packet sequence that causes the leak, but the advisory’s characterization as “Missing Release of Memory after Effective Lifetime” suggests a coding oversight where an allocation outlives its usefulness and never gets freed.

The CVSS 5.3 score might seem low, but only because the impact is limited to availability. If your business depends on uptime, that “low” impact becomes high. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) rates exploitation as “none” at the time of assessment, meaning no known active attacks. However, it also flags the flaw as automatable—once technical details become public, building a reliable exploit will be straightforward. Waiting for a proof of concept to appear before patching is a gamble you don’t need to take.

What to Do Now

  1. Apply the July 2026 cumulative updates immediately on all Windows systems, with priority on internet-facing servers and critical internal infrastructure. The updates are served through Windows Update, WSUS, and the Microsoft Update Catalog.
  2. Test before broad deployment by piloting the update on a representative set of machines. Validate that BitLocker recovery keys are escrowed and confirm that no legacy TDI-dependent applications break. Microsoft’s known issues for these updates document the BitLocker recovery prompt scenario; if you encounter it, check your PCR7 Group Policy settings.
  3. Verify the build number after installation. Use winver or a management tool to confirm the OS matches the corrected build in Microsoft’s advisory. Don’t rely solely on an “update successful” message, as scanners may not immediately flag the CVE as remediated.
  4. Harden your network posture. While you can’t filter out the attack directly, reducing the external footprint of Schannel-using services limits exposure. Close unneeded firewall ports and consider deploying TLS-terminating reverse proxies that aren’t Windows-based.
  5. Monitor for signs of attack. Sudden memory spikes in processes like lsass.exe or services that use Schannel, along with unexplained service crashes, could indicate an exploitation attempt. Event logs may also capture repeated failed TLS handshakes.
  6. Plan for the worst. Denial-of-service attacks can hit without warning. Ensure you have a recovery plan for critical services—automated failover, backups, and a communication strategy for users.

Outlook

Patch Tuesday has come and gone, but the real test begins now. The absence of public exploit code is temporary—history shows that memory exhaustion bugs in high-profile components rarely stay private for long. Keep an eye on the Microsoft Security Response Center for any updates to the CVE, particularly if active attacks emerge and an out-of-band fix becomes necessary.

For now, the July 14 updates are the definitive fix. If you haven’t deployed them yet, you’re effectively choosing to leave an exhaust port open on your Windows machines. Close it.