Microsoft shipped its monthly security updates on July 14, 2026, closing a dangerous remote-code-execution hole in Windows Media Foundation that earned an 8.8 CVSS severity score. Dubbed CVE-2026-57087, the flaw lets attackers hijack a PC simply by tricking a user into opening a malicious media file or visiting a crafted website—no advanced privileges needed. The patch is available for all currently supported Windows versions, but the clock is ticking for organizations still running older systems.

The Flaw: A Heap-Based Buffer Overflow in Media Foundation

At its core, the vulnerability is a classic memory-safety blunder: a heap-based buffer overflow in Windows Media Foundation, the framework that powers multimedia playback, streaming, and transcoding across the operating system. The National Vulnerability Database classifies it as CWE-122, and Microsoft’s advisory confirms that an unauthorized attacker could execute code over a network if they can persuade a target to interact with specially crafted content.

The CVSS 3.1 vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) explains the risk profile: network-reachable, low complexity, no privileges needed, but user interaction is required. That means it is not a self-propagating worm that can jump across the internet without any human action. However, the “user interaction” can be as minimal as clicking a link in an email, opening a shared document with an embedded media stream, or visiting a booby-trapped webpage. In other words, it’s a remote attack—just not an automatic one.

The impact of a successful exploit is severe: complete compromise of confidentiality, integrity, and availability. An attacker could read, modify, or delete data; install malware; or move laterally across a network using the victim’s identity. Right now, according to CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree data, there are no signs of active exploitation and the flaw is not automatable. That is the only silver lining.

Who Is Affected and How to Verify You're Patched

Every supported Windows client and server release has been patched. The table below shows the exact cumulative update (KB article) and the minimum operating system build that closes this vulnerability. If your device reports a build number at or above the listed one after installing updates and rebooting, you are protected.

Windows Version Required KB Minimum Build
Windows 10 1607 / Server 2016 KB5099535 14393.9339
Windows 10 1809 / Server 2019 KB5099538 17763.9020
Windows 10 21H2 KB5099539 19044.7548
Windows 10 22H2 KB5099539 19045.7548
Windows 11 24H2 KB5101650 26100.8875
Windows 11 25H2 KB5101650 26200.8875*
Windows 11 26H1 (included in servicing) 28000.2525
Windows Server 2022 KB5099540 20348.5386
Windows Server 2025 / Server Core (July security update) (check KB details)

\*Note: Microsoft’s advisory initially listed Windows 11 25H2 with the 26100.8875 threshold, but the official KB5101650 release notes specify build 26200.8875. Always confirm the build on your device after updating; a winver check or fleet-inventory scan removes any guesswork.

For environments with many endpoints, do not assume a “Success” status in your update management console means the job is done. The final build number is the only reliable indicator that the cumulative update superseded old binaries and the required restart completed. Use PowerShell (Get-ComputerInfo -Property OsBuildNumber), Microsoft Defender for Endpoint, or your remote monitoring tool to audit build numbers at scale.

Windows 10 Users Face a Hard Deadline—or a Licensing Gap

If you are still running Windows 10, this vulnerability forces an uncomfortable conversation. Microsoft ended mainstream support for Windows 10 version 22H2 on October 14, 2025. The July 2026 patch for those editions is only delivered to machines that are enrolled in the paid Extended Security Updates (ESU) program, or that run a Long-Term Servicing Channel (LTSC) or IoT Enterprise LTSC edition with a valid support window.

A standard Windows 10 Pro or Home PC that did not purchase ESU will not see KB5099539 in Windows Update. It will remain vulnerable indefinitely. For businesses, this means an immediate inventory audit: identify any Windows 10 22H2 endpoints that are still business-critical, verify their ESU or LTSC status, and ensure they receive the July update. If they are not covered, you are exposed.

Home users still on Windows 10 need to act as well. The safe path forward is to upgrade to Windows 11 24H2 or later. If your hardware does not meet the official Windows 11 requirements, consider retiring the machine or switching to a supported operating system. Using an unpatched Windows PC connected to the internet is a gamble that grows more dangerous with each monthly patch cycle.

What to Do Right Now

  1. Install updates immediately. The July 2026 cumulative update packages include the fix for CVE-2026-57087. There is no other mitigation—no registry key, no feature removal. Patching is the only route to protection.
  2. Verify the build number. After rebooting, check that your OS build matches or exceeds the threshold for your edition. This is especially important for servers where restarts can be delayed by maintenance windows.
  3. Test the update in a pilot group. The July patches include a networking hardening change that can break applications using undocumented TDI (Transport Driver Interface) transports. Most modern software doesn’t use this legacy interface, but industrial control systems, antique VPN agents, or proprietary security tools might. Test with a representative sample before a mass rollout.
  4. Prepare for BitLocker recovery prompts. On a small subset of Windows Server 2022 systems where administrators have misconfigured Group Policy to force a specific PCR7 binding that the hardware doesn’t support, the first reboot after patching can trigger a BitLocker recovery key prompt. Microsoft recommends verifying PCR7 configuration before deployment if you use BitLocker.
  5. Audit Windows 10 endpoints. For any device running Windows 10 outside ESU/LTSC, either enroll it in extended updates or start migrating it to Windows 11. The risk extends beyond this single CVE; future critical patches will also sail right past you.

How We Got Here: Why Media Foundation Flaws Keep Appearing

Windows Media Foundation has been a fixture in the security update list for years. Its vast reach—handling video codecs, audio streaming, DRM, and media file parsing—makes it a rich target for vulnerability researchers and attackers alike. In the late 2010s, several memory corruption bugs in Media Foundation led to similar critical RCE advisories, often with the same “user interaction” caveat.

What muddies the water is the sheer variety of ways a user can trigger a media parsing code path. Web browsers delegate video and audio decoding to Media Foundation. Collaboration tools like Microsoft Teams, Zoom, and Slack rely on its codecs. Document preview handlers, photo viewers, and media management apps all dip into the same framework. Attackers only need to find one pathway to deliver evil content—a poisoned .wmv file embedded in a Word document, a hijacked audio CD image downloaded from a peer-to-peer network, or a malicious streaming link shared on social media.

Microsoft’s advisory for CVE-2026-57087 does not specify the precise delivery method exploited, but the broad attack surface means defenders must assume that any media file from an untrusted source could be the trigger.

The Outlook: What to Watch Next

For now, CVE-2026-57087 joins the long list of patched-but-not-yet-exploited vulnerabilities. The coming weeks will determine whether that changes. Security researchers routinely reverse-engineer Microsoft’s patches to understand the root cause and sometimes publish proof-of-concept code. Once a reliable PoC emerges—even one that requires user interaction—cybercriminals can weaponize it in phishing campaigns or malware downloads.

Microsoft will likely update its advisory if exploitation is detected in the wild. Until then, the single most defensible action is to apply the July 2026 cumulative updates, verify your build numbers, and treat any unpatched Windows 10 system that lacks ESU as the highest-risk exception queue in your environment. There is no reason to wait.