On July 14, 2026, Microsoft released its monthly Patch Tuesday updates, and one bulletin stands out: CVE-2026-49795, a local elevation-of-privilege bug in the Windows Kernel. The company rates it only as Important, but a CVSS score of 8.8 and its own assessment that exploitation is “more likely” make it a top priority for any organization that lets more than one person touch a computer.

What Is CVE-2026-49795?

The vulnerability is a use-after-free flaw in the Windows Kernel. In plain terms, the operating system frees a block of memory but then tries to use it again later. An attacker who already has a low-privileged foothold on a machine—through a compromised user account, a malicious document, or another initial-access exploit—can manipulate that freed memory before the kernel reads it, potentially causing the kernel to execute attacker-chosen code with the highest possible permissions.

Microsoft’s advisory specifies that the attack requires local access, low privileges, no user interaction, and low complexity. “Local” means the attacker must first run code on the target computer, but once that condition is met, the exploit can proceed without any additional clicks or prompts. The CVSS vector confirms that successful exploitation impacts confidentiality, integrity, and availability across the system, with “scope changed,” meaning the effect can spill beyond the original component’s security boundary.

No functional exploit code has surfaced publicly, and CISA reports no known active exploitation. However, Microsoft’s “Exploitation More Likely” label—which it uses sparingly—signals that the vendor’s own analysis suggests attackers could develop a reliable exploit in short order. The company has not disclosed the specific kernel object involved, but the combination of a memory-safety bug, low attack complexity, and a high-impact outcome makes this a classic ingredient in post-compromise attack chains.

Which Systems Are Vulnerable?

The flaw cuts across a wide swath of supported Windows editions. Both 32-bit and 64-bit systems are affected where those architectures exist, as well as Arm64 devices. Server Core installations are explicitly included, confirming the issue lives in the core kernel, not a desktop-only feature.

The table below lists the minimum safe build numbers and the corresponding July 2026 cumulative updates that contain the fix.

Windows Release Safe Build (or higher) Required KB
Windows 10 version 1809 / Server 2019 17763.9020 KB5099538
Windows 10 version 21H2 19044.7548 KB5099539
Windows 10 version 22H2 19045.7548 KB5099539
Windows 11 version 24H2 26100.8875 KB5101650
Windows 11 version 25H2 26200.8875 KB5101650
Windows 11 version 26H1 (builds below 28000.2269) 28000.2525 KB5101649
Windows Server 2022 20348.5386 KB5099540
Windows Server 2025 26100.33158 KB5099536

To verify your own machine, open winver (type Win + R, then winver) and check the OS build number against this table. Alternatively, run Get-ComputerInfo -Property OsBuildNumber in PowerShell. Merely seeing a “successful installation” message for a KB is not enough—always confirm the resulting build, as some update mechanisms can report success even when a component fails to install correctly.

What It Means For You

The practical urgency depends on how you use Windows.

Home and small-business users. Run Windows Update, install the July 2026 cumulative update, and restart. That’s it. If your PC is a single-user machine with no shared accounts and you practice basic internet hygiene, the risk is low. But because the patch is bundled with all other July security fixes, there’s no reason to delay.

IT administrators. Treat CVE-2026-49795 as a high-priority patch for any system where more than one person logs in—shared workstations, virtual desktops, jump servers, developer machines, and terminal servers. The same goes for any server that might house local service accounts or be reachable via a compromised network credential. Because the vulnerability eases the jump from a limited user to full system control, it’s especially dangerous in environments that have already been partially compromised.

Developers and line-of-business application owners. The July updates include a hardening change: applications that use sockets over unregistered third-party Transport Driver Interface (TDI) transports may stop functioning. This applies to some legacy networking, filtering, and security software. Before rolling out the patches organization-wide, test such applications on a representative pilot group.

How We Got Here

This isn’t a zero-day. There’s no evidence anyone found and used the bug before July 14. Rather, it follows a familiar Patch Tuesday rhythm: Microsoft’s security team, a researcher, or a partner privately reported the issue, the company confirmed the vulnerability and built a fix, and it arrived in the monthly update package.

What sets CVE-2026-49795 apart from the dozens of other CVEs fixed in the same batch is the “Exploitation More Likely” designation. Microsoft assigns that label based on internal exploitability assessments—considering factors such as the vulnerability’s complexity, the required privileges, and the feasibility of bypassing mitigations. The fact that a local kernel memory-corruption flaw earned this badge should make every Windows defender sit up.

Historically, local privilege escalation bugs in the kernel are a favorite of ransomware gangs and advanced persistent threat actors. They don’t give an attacker the first entry point, but once inside—via a phishing link, a malicious document, or an unpatched remote service—those attackers can use a kernel exploit to disable endpoint protection, steal credentials from the operating system, and move laterally across the network. A patch for a bug that Microsoft itself expects to be weaponized deserves a short deployment window.

Action Plan: Patching Without Breaking Things

Because the fix arrives inside a cumulative update, you can’t selectively install only the CVE-2026-49795 patch. You get the month’s other security and quality changes too. That’s usually fine, but July 2026 ships with a couple of known cautions.

1. Audit your environment. Use your configuration manager, Microsoft Intune, or a PowerShell script to list OS build numbers. Compare them against the table above. Flag any system below the safe threshold.

2. Plan a staged rollout. Test the applicable cumulative update on a representative set of hardware and roles—paying special attention to machines that run legacy networking software or apply custom BitLocker Group Policy settings. Microsoft warns that Windows Server 2022 devices configured to explicitly include PCR7 when PCR7 binding is unavailable might encounter BitLocker recovery prompts. Verify recovery keys are accessible before broad deployment.

3. Deploy to the highest-risk machines first. Prioritize systems where untrusted users log in, where local password policies are weak, or where public-facing services could give an attacker that initial foothold.

4. Validate after patching. Reboot and check the build number again. Ensure critical services and security agents start correctly. Look for unexplained system crashes—a potential sign of an incompatible driver or, in rare cases, failed exploitation attempts before patching.

5. Monitor for unusual behavior. Even after updating, keep an eye out for processes unexpectedly gaining system-level privileges, security tools turning off, or unusual kernel-mode activity. Microsoft hasn’t published any specific indicators of compromise for CVE-2026-49795, so behavioral detection is your best bet.

What Comes Next

Microsoft will almost certainly include further kernel hardening in upcoming releases, and we may see a public proof-of-concept in the weeks ahead. Attackers often reverse-engineer patches to build an exploit for unpatched machines. That clock is now ticking. If your systems aren’t yet at the required July 2026 build levels, the next step is clear: update.

For now, CVE-2026-49795 is a patched vulnerability, not an active campaign. But the combination of a high CVSS score, the “Exploitation More Likely” stamp, and a broad attack surface means staying current isn’t just a best practice—it’s the only practical defense.