Microsoft’s July 2026 security updates, released on July 14, address a significant but locally exploitable memory leak in Windows Server Message Block (SMB). Tracked as CVE-2026-54997, the vulnerability could allow an attacker with limited access to a machine to read sensitive information from system memory. While the flaw carries an “Important” severity rating and a CVSS score of 5.5, its potential to aid further attacks makes patching a priority for shared and business systems.
A Local SMB Memory Leak with Wide Impact
CVE-2026-54997 stems from the use of an uninitialized resource within Windows SMB, according to Microsoft’s Security Update Guide. An attacker who has already gained a foothold on a device—via a compromised account, malicious program, or another vulnerability—can trigger this flaw to read memory contents that should be off-limits. The attack requires no user interaction and is rated low complexity, but it cannot be launched remotely over the network. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms the local nature: the attacker must be logged on locally with low privileges.
Microsoft mapped the vulnerability to CWE-908 (Use of Uninitialized Resource). When software accesses memory that hasn’t been properly cleared, residual data can leak across security boundaries. In this case, the information exposed might include memory addresses, process data, or kernel details, depending on the state of the affected resource. As first reported in Microsoft’s advisory, the company hasn’t specified exactly what data could be revealed, but the high confidentiality impact suggests sensitive material is at risk.
The bug affects a broad range of Windows versions, from Windows 10 1607 to the latest Windows 11 26H1, and Windows Server 2012 through Server 2025. The following table shows the fixed build numbers for commonly deployed editions:
| Windows Edition | Fixed Build Number | Relevant KB |
|---|---|---|
| Windows 11 24H2/25H2 | 26100.8875 / 26200.8875 | KB5101650 |
| Windows 11 26H1 | 28000.2525 | Included in July cumulative update |
| Windows Server 2025 | 26100.33158 | Included in monthly rollup |
| Windows Server 2022 | 20348.5386 | KB5099540 |
| Windows Server 2019 / Win10 1809 LTSC | 17763.9020 | KB5099538 |
| Windows 10 21H2/22H2 | 19044.7548 / 19045.7548 | July cumulative update |
Older LTSC versions (Server 2016, Windows 10 1607) are also patched at builds 14393.9339 and others, but those require specific servicing agreements. Microsoft confirmed that at the time of release, the vulnerability was not publicly disclosed or known to be exploited, as noted in the Zero Day Initiative’s July security review.
Who Should Worry—and Who Can Relax
The risk from CVE-2026-54997 varies widely based on how you use your Windows machine.
Home users with a single account and no untrusted local access are at minimal risk. If no one else has an account on your PC and you don’t run questionable software, the local attack prerequisite means this isn’t a “patch in five minutes” emergency. However, households with shared family computers, where guest accounts exist, should apply the update sooner. Any local user—even with limited guest privileges—could potentially exploit the leak to snoop on system memory.
Power users and developers who frequently run untrusted code or test software in local environments should be more cautious. Virtual machines or sandboxes mitigate the host risk, but if you’re developing or debugging on your main OS, a local memory disclosure can expose sensitive data from other processes. Applying the cumulative update is a straightforward fix.
IT administrators face the most urgent call to action. Servers that host multiple user sessions—Remote Desktop Session Hosts, virtual desktop infrastructure, jump boxes, or file servers with shared access—are prime targets. Even a low-privilege user could exploit this SMB flaw to read memory that might contain secrets from other users or the system itself. While the attack doesn’t grant higher privileges, the information it reveals could fuel further attacks, such as bypassing exploit mitigations or stealing credentials.
Crucially, this is not a remote vulnerability. Blocking SMB ports at the firewall or disabling file sharing won’t prevent exploitation once a user has local access. The only reliable defense is installing the update.
How an Uninitialized Resource Became a Security Threat
Uninitialized resource bugs (CWE-908) are a classic programming error. In the case of Windows SMB, a module failed to initialize a region of memory before using it, leaving behind whatever data was there from a previous operation. While such flaws are often found in drivers or kernel components, their appearance in a core protocol handler like SMB is notable because of how many Windows systems enable the service by default.
SMB has been a part of Windows networking for decades, evolving from CIFS to the current SMB 3.x. Microsoft has hardened it against remote attacks over the years, adding encryption and signing to combat man-in-the-middle threats. However, local attack surfaces remain—especially as Windows itself increasingly uses SMB loops for internal communication (e.g., Named Pipes). This vulnerability shows that even with network safeguards, the code can still leak information to a local attacker.
Past SMB vulnerabilities have ranged from remote code execution (e.g., EternalBlue) to denial-of-service flaws. CVE-2026-54997 stands out because of its local-only nature and information disclosure focus. It’s not as dramatic as a wormable bug, but in layered attacks, memory leaks are the reconnaissance that makes the actual breach possible. Security researchers often chain such disclosures with other exploits to bypass address space layout randomization (ASLR) or leak tokens. Microsoft hasn’t indicated that this is part of an active chain, but the potential alone justifies swift action.
The July 2026 updates integrate the fix into the standard cumulative update package, meaning once you install the monthly rollup, you’re protected. Microsoft hasn’t released a standalone out-of-band patch, which aligns with the Important severity and lack of active exploitation.
Applying the Fix: Steps and Precautions
Patching CVE-2026-54997 is straightforward, but verification is essential because the fix isn’t a separate install—it’s baked into the July cumulative update.
For Consumers and Small Businesses
- Open Windows Update (Settings > Windows Update) and check for updates. Install all available updates, then restart.
- Verify your build number: Type
winverin the Start menu or run[System.Environment]::OSVersionin PowerShell. Make sure your build meets or exceeds the fixed build for your version (see table above). - If you manage multiple home PCs, confirm each one is updated.
For Enterprise Administrators
Deploy the relevant July cumulative update through your usual channels: Windows Server Update Services, Configuration Manager, Microsoft Intune, or Windows Update for Business.
Critical actions:
- Prioritize shared servers: Multi-user Windows Server installations (Remote Desktop Session Hosts, file servers with user shares) should be patched first. Workstations in shared environments like call centers or labs are next.
- Watch for known issues: The Windows Server 2022 update (KB5099540) has a documented issue with BitLocker and explicit PCR7 validation. Systems with incompatible Secure Boot binding may trigger recovery prompts. Review Microsoft’s known issues note before broad rollout.
- Verify build numbers after deployment: A successful update status in your management tool doesn’t guarantee the correct build. Use reporting or direct checks (winver, PowerShell) to confirm.
- Don’t rely on perimeter mitigations: Disabling SMB or blocking port 445 won’t stop this local attack. Patch the OS.
- Check unsupported versions: Windows 10 versions that are out of support (e.g., 21H2 if not LTSC) won’t receive the fix unless you have Extended Security Updates (ESU). Identify those and either update or isolate them.
A simple PowerShell command to check the current build:
Get-ComputerInfo -Property OsBuildNumber
Compare the output with the fixed builds listed above. For Windows 11 24H2, for example, you need 26100.8875 or higher.
What Comes Next for SMB Security
Microsoft has not disclosed the finder of CVE-2026-54997 or the timeline of its discovery. With no active exploitation at publication, the immediate risk is contained. However, history shows that once patches are reverse-engineered, proof-of-concept code often follows. Organizations should aim to complete patching within their normal cycle—typically two to four weeks—rather than waiting for signs of trouble.
The nature of this flaw—a local memory disclosure in a ubiquitous Windows service—highlights why “medium severity” bugs still matter. For defenders, this CVE is a reminder to harden local attack surfaces, not just network perimeters. Running untrusted users or applications on the same OS as sensitive workloads always carries risk, and cumulative updates are the cheapest insurance.
Microsoft’s next Patch Tuesday is in August 2026. There’s no indication that this SMB flaw will be expanded or revised, but administrators should monitor the MSRC guide for any updates to the severity or exploitation status. For now, the fix is in hand—install the July updates and move on.