Microsoft’s July 14, 2026 security updates patch a denial-of-service flaw in Windows SMB Server that could let any authenticated user crash a vulnerable file server over the network. Tracked as CVE-2026-56168, the vulnerability requires an attacker to already have valid low-level credentials—no remote code execution, no data theft—but its potential to disrupt critical file shares makes it a must-patch for enterprise environments.
The July Fixes at a Glance
Microsoft rated CVE-2026-56168 as Important with a CVSS 3.1 base score of 6.5. The underlying cause is a null pointer dereference (CWE-476) in the SMB Server service. An attacker who authenticates with any low-privilege account can send a specially crafted request that causes the service to crash, bringing down file shares, profile homes, backup jobs, or clustered workloads that depend on it.
These cumulative updates contain the fix:
| Windows version | KB number | Post-update build |
|---|---|---|
| Windows 10 21H2/22H2 | KB5099539 | 19044.7548 / 19045.7548 |
| Windows 11 24H2/25H2 | KB5101650 | 8875 (both branches) |
| Windows 11 26H1 | KB5101649 | 28000.2525 |
| Windows Server 2022 | KB5099540 | 20348.5386 |
| Windows Server 2025 | KB5099536 | 26100.33158 |
Windows 10 22H2 reached end of normal support on October 14, 2025, so only devices covered by Extended Security Updates (ESU) will receive KB5099539. Consumer PCs that lapsed out of ESU will not get this protection. Windows 11 26H1 builds earlier than 28000.2269 are considered affected, but the July patch moves systems well past that floor.
No standalone CVE-2026-56168 package exists. The fix arrives inside each operating system’s usual monthly cumulative update, which also delivers the rest of July’s reliability and security fixes.
What This Means for Your Systems
Home users and enthusiasts: If you use Windows file sharing on a home LAN—say to shuttle files between a desktop and a laptop—update. The risk is low in typical homes because an attacker would need valid credentials and network access to your shares. But keeping Windows current closes the door entirely. The update downloads through Windows Update, Windows Update for Business, or the Microsoft Update Catalog.
Small businesses: Any office that runs a Windows Server as a central file store or application server should treat this as a routine but urgent update. The authentication requirement doesn’t eliminate risk; it shifts the threat to stolen contractor credentials, a disgruntled employee, or a compromised service account. A single crash can knock users offline and halt workflows until someone restarts the server.
Enterprise administrators: This is a network-available, low-complexity attack that requires only low privileges. That profile makes it attractive inside environments where lateral movement is already possible. File servers, domain controllers (when also serving SMB shares), print servers, distributed file system (DFS) roots, and failover cluster nodes all become targets. If someone steals a service account password or a low-level domain user token, they can crash any unpatched SMB server they can reach over TCP port 445. The result is a pure denial of service—no files are stolen, no system is hijacked—but availability impact is rated high. For a file server supporting hundreds of users, that outage can trigger a significant operational incident.
Security monitoring teams should note that a DoS attack may look like a sudden wave of service failures, automatic restarts, or client disconnects. Without file access or process execution, the incident might not trigger typical detection rules. Correlating SMB connection attempts with subsequent server crashes in the Windows Event Log becomes critical to distinguishing exploitation from an ordinary fault.
How We Got Here
CVE-2026-56168 was disclosed and patched simultaneously on July 14, 2026, as part of the regular Patch Tuesday cycle. Microsoft’s advisory states there is no evidence of active exploitation and no public proof-of-concept code as of publication. CISA’s catalog entry also lists exploitation as “none.”
That doesn’t make it toothless. The authentication barrier stops script kiddies and mass scanners, but enterprise networks constantly juggle identities. Service accounts with SMB access frequently have more privilege than intended, and pass-the-hash or Kerberos ticket attacks can convert one compromised workstation into a launchpad for knocking over file servers. The July update removes the code defect that makes the crash possible, so attackers lose that foothold.
This isn’t another EternalBlue or SMBGhost. Those vulnerabilities enabled remote code execution without authentication, which led to wormable exploits. CVE-2026-56168 stays firmly in the denial-of-service category and requires at least a foothold. Its impact is on availability only, with no confidentiality or integrity loss. Still, for an organization that relies on a handful of file servers, the operational damage can rival a ransomware event in terms of downtime.
Your Patch-and-Protect Checklist
1. Apply the July 2026 cumulative update to every machine that runs the SMB Server service.
Start with Windows Servers, especially those hosting shares, profiles, redirected folders, or DFS namespaces. Then move to Windows 11 workstations where file sharing is enabled. A simple PowerShell command reveals which computers are listening on port 445:
Get-NetTCPConnection -LocalPort 445 -State Listen
Compare that list against business needs and update everything that doesn’t need to offer SMB access. If a machine must wait for a safeguard hold (see below), limit who can reach it over SMB while it remains unpatched.
2. Confirm the build number after the update.
Use winver.exe or (Get-ItemProperty "HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion").DisplayVersion to verify the build number matches the table above. Vulnerability scanners that reference the minimum affected build may not tell the whole story—having the latest cumulative update installed is the definitive proof.
3. Harden SMB exposure.
- Block TCP port 445 at internal firewalls between user VLANs and server segments unless SMB is explicitly required.
- Disable SMB Server on Windows clients that don’t need it:
Set-SmbServerConfiguration -EnableSMB1Protocol $false(for obsolete SMB1) and, for SMB2/3, simply stop and disable the LanmanServer service on endpoints that aren’t sharing files. - Audit service accounts that have access to many shares. Any account that can authenticate to an SMB server could trigger the DoS, so reducing the number of identities that can touch critical servers lowers the risk until you’ve patched everything.
4. Monitor for exploitation attempts.
Enable Windows Event Log channels for SMB Server (Microsoft-Windows-SMBServer/Operational). Look for Event ID 1020 (an SMB session was lost) followed by rapid service recovery, or spikes in failed connections from a single source IP. Network detection tools that track SMB session anomalies can also flag bruise-force crash attempts.
5. Navigate the July update caveats.
The same cumulative updates that fix this CVE also contain other changes that may require planning:
- Windows Server 2022 BitLocker recovery prompt: A narrow set of devices using a non-recommended BitLocker Group Policy may ask for the recovery key after restarting. Verify recovery keys are accessible before deployment.
- Third-party TDI transport enforcement: A networking hardening change requires TDI transports to be registered. Applications using unregistered third-party TDI transports may break after the update. Test network-dependent apps in your staging environment.
- Dell system safeguard: Some Dell machines with Intel processors may not yet be offered KB5101650 due to a compatibility hold related to shutdowns, heat, and battery consumption. Don’t bypass the safeguard—instead, apply mitigating SMB controls until the block lifts.
A staged rollout remains the best practice, but compress the test window to hours, not weeks. Validate file access, cluster failover, backup completion, and third-party network applications, then accelerate broader deployment. The risk of an avoidable crash outweighs the relatively low likelihood of encountering these side effects.
What Comes Next
No public exploit code exists today, but reverse engineering a patch to find the bug is a common attacker exercise. We have seen this pattern before: a vulnerability dismissed because it needs authentication, then weaponized after a credential dump or phishing campaign provides that missing piece. Windows Servers that miss July’s updates will remain vulnerable indefinitely; there is no registry key or setting that merely “turns off” the null pointer dereference.
Microsoft hasn’t indicated whether the flaw affects older, out-of-support systems such as Windows Server 2019 or Windows 10 1507 LTSC. Anyone still running those versions should treat them as exposed and either apply extended security contracts or replace them—because no patch will arrive.
For the vast majority of patched environments, CVE-2026-56168 disappears after a successful July update. The broader lesson is that authentication-only requirements don’t fully blunt a DoS bug when file servers sit within arm’s reach of thousands of authenticated users. Limiting SMB reachability through segmentation and routine patching keeps this type of vulnerability from becoming a business-halting surprise.