Microsoft’s July 2026 security release fixes a flaw in Windows Push Notifications that can silently expose sensitive data to an attacker who’s already logged into the same machine. The vulnerability, tracked as CVE-2026-50434, doesn’t need the victim to click anything or even be aware—and it affects nearly every supported version of Windows. If you haven’t yet installed the July cumulative update, this is the patch that should move to the top of your list.

The Patch: Specific Builds and KB Numbers

You can’t disable push notifications and call it a day. The fix is embedded in the monthly rollup, and the only safe path is to update to the corrected build. Microsoft has published a clear matrix of vulnerable and patched build ranges, so administrators and power users can verify compliance directly.

For mainstream Windows 11, the key package is KB5101650. It advances version 24H2 to build 26100.8875 and version 25H2 to 26200.8875. Windows 10 22H2 and the remaining 21H2 Long-Term Servicing Channel installs get KB5099539, which brings the OS to 19045.7548 or 19044.7548, respectively.

Here are the corrected build thresholds you should compare against:

  • Windows 10 21H2: build 19044.7548
  • Windows 10 22H2: build 19045.7548
  • Windows 11 24H2: build 26100.8875
  • Windows 11 25H2: build 26200.8875
  • Windows 11 26H1: build 28000.2269 (Note: This threshold was first reached with June’s KB5095051, but the July update supersedes it and remains the recommended installation.)
  • Windows Server 2022: build 20348.5386
  • Windows Server 2025 (including Server Core): build 26100.33158

Notably absent from the list is Windows 11 version 23H2, which Microsoft did not flag as affected. That doesn’t give 23H2 users a free pass to skip July updates—every cumulative release includes other security fixes—but it does mean that particular OS revision is not vulnerable to this push notification data leak.

Windows 11 version 26H1’s situation merits a closer look. Its corrected build threshold predates July, having been delivered in the June 2026 security update. If you already deployed that, you’re protected against CVE-2026-50434. Still, the July update for 26H1 brings additional hardening, so it’s the smarter target.

Who’s Affected and What’s at Stake

On paper, the CVSS 3.1 base score of 5.5 looks medium. But that number doesn’t tell the whole story. The confidentiality impact is rated High, meaning the leaked data could be highly sensitive. The attack vector is local (AV:L), complexity is low (AC:L), and the attacker needs only low privileges (PR:L). No user interaction is required (UI:N). In plain English: anyone who can run code on your machine—whether through a remote desktop session, a compromised low-privilege account, or a piece of malware—can exploit this flaw without you ever noticing.

For home users, the risk is lower but not zero. A single-user PC with strictly vetted applications isn’t an easy target, but drive-by downloads, malicious email attachments, or compromised software updates could all create the local foothold needed. Power users who tinker with scripts or run developer tools should be especially mindful: anything that executes under a standard user account can trigger the information disclosure.

Businesses and IT departments face a more complex landscape. A shared server, a Remote Desktop Session Host, a developer workstation, or a virtual desktop pool all multiply the number of potential local actors. The vulnerability doesn’t care whether the attacker is a disgruntled employee, a contractor with limited access, or an external threat actor who’s already infiltrated the network—it only requires that some code runs locally with a valid user token.

Because the flaw is in Windows Push Notifications, the exposed data likely pertains to notification payloads, app credentials, or system messages. Microsoft has not specified the exact information that can be leaked, but the “High” confidentiality tag suggests it’s not trivial. Attackers could harvest tokens, session identifiers, or other secrets that enable lateral movement or further compromise.

Understanding the Risk: Local Attack, No User Interaction

The CVE-2026-50434 advisory is frustratingly light on technical detail. Microsoft hasn’t disclosed which component files were patched, what type of data can be exposed, or whether any specific event logs can help detect exploitation. At the time of publication, there’s no public proof-of-concept and CISA’s Known Exploited Vulnerabilities catalog lists no active exploitation. But don’t let that lull you into complacency.

The vulnerability’s attack complexity is low. Once a researcher reverse-engineers the patch—and history says that’s a matter of when, not if—weaponized exploits can appear. Information-disclosure bugs rarely make headlines on their own, but they’re prized as stepping stones in attack chains. Data leaked from push notifications could be exactly what an attacker needs to defeat ASLR, forge session cookies, or harvest credentials that lead to a full system takeover.

Security teams that rely on behavioral detection will have a hard time writing specific rules for this one. Without a descriptive process name, file-access pattern, or unique event ID from Microsoft, the only reliable indicator is your patch status. That shifts the burden squarely onto patch management.

How to Protect Your System Now

Step 1: Inventory your devices. Use your endpoint management platform—Intune, Configuration Manager, Windows Update for Business reporting, or a third-party solution—to list every Windows machine and its current OS build. Compare each against the fixed build thresholds above.

Step 2: Deploy the July cumulative update. The patches are available through Windows Update, Microsoft Update Catalog, and WSUS. For home users, checking for updates manually is the fastest route. For organizations, roll out KB5101650 (Windows 11), KB5099539 (Windows 10), or the appropriate server update in your usual ringed deployment.

Step 3: Verify compliance after deployment. Don’t trust that a successful installation event equals protection. Confirm that each machine’s build number matches or exceeds the corrected threshold. You can do this by running winver, querying Get-ComputerInfo in PowerShell, or inspecting the device record in your management tool. Machines that fail to update—due to servicing stack issues, disk space, or Windows 10 end-of-life constraints—should be investigated immediately.

Step 4: Don’t rely on workarounds. Disabling notifications won’t remove the vulnerable code. Microsoft has documented no configuration-based mitigation, so attempting to block push notifications at the firewall or via Group Policy provides false comfort.

Step 5: Test the update in a representative environment. July’s cumulative updates contain more than just the CVE-2026-50434 fix. KB5101650, for example, includes networking hardening for third-party Transport Driver Interface transports. If your organization runs legacy networking software, validate that the update doesn’t break critical functionality before pushing it everywhere.

The Bigger Picture: July’s Cumulative Update Is About More Than One CVE

Treating this as a single-bug bulletin misses the point. The July patches address multiple vulnerabilities, and the push notification fix is just one of them. By updating, you also protect against other disclosed flaws—some of which might allow remote code execution or privilege escalation. Microsoft has not reported any known issues with KB5101650 at the time of writing, so the regression risk appears low.

For users still on Windows 10, be aware that servicing eligibility varies by edition and support program in 2026. Enterprise and Education SKUs under Extended Security Updates may receive patches, but consumer editions likely do not. If a Windows 10 device can’t reach build 19045.7548, it’s a signal that the machine has fallen out of support and should be replaced or upgraded.

What to Watch Next

Microsoft hasn’t promised additional documentation, but the security community will inevitably dig into the patch diff. Expect third-party analyses to surface within weeks, potentially illuminating what data was at risk. If exploitation attempts appear, CISA and Microsoft will update their advisories. In the meantime, the safest posture is to assume that attackers are already reverse-engineering the fix and to prioritize patching accordingly.

Keeeping Windows updated is boring advice until it isn’t. CVE-2026-50434 is a reminder that even a “medium” severity flaw can expose sensitive information with little effort from an attacker. Don’t let it be the one that catches your organization off guard.