Microsoft's July 14, 2026 security update addresses a vulnerability in Windows Network Policy Server that could let a remote attacker read memory contents over SNMP without any credentials. The flaw, tracked as CVE-2026-50496, carries a CVSS 3.1 score of 7.5 and is rated Important. While the update fixes the underlying code, affected servers—especially those handling RADIUS authentication—remain at risk until patches are deployed.
The Vulnerability: Remote Memory Read via SNMP
CVE-2026-50496 is an out-of-bounds read in the SNMP processing component of Windows Network Policy Server (NPS). Microsoft classifies it as CWE-125, a common memory safety error where software accesses data beyond the allocated buffer. An attacker can exploit this over the network by sending a specially crafted SNMP request, requiring no prior authentication, no user interaction, and low attack complexity.
The practical consequence is that a remote attacker could repeatedly probe the flaw to extract fragments of server memory. Microsoft's advisory identifies the primary impact as information disclosure. However, the initial CVSS vector string recorded by Microsoft tells a slightly different story—something we'll examine shortly.
Because NPS is the Microsoft implementation of the RADIUS protocol, it often sits at the heart of enterprise authentication for VPNs, Wi-Fi networks, and switch administration. A vulnerability in its SNMP interface therefore touches infrastructure that directly controls network access.
Where the Danger Lies: NPS Servers with SNMP Exposure
Although the CVE lists a broad range of affected Windows versions—from Windows 10 and 11 to Windows Server 2012 through 2025—the real-world risk is narrow. The vulnerable code is only present when the Network Policy Server role is installed and the associated SNMP service is enabled. A standard Windows 11 laptop or a file server without NPS is not exposed.
This means IT administrators should focus their attention on:
- Windows Server machines running the Network Policy and Access Services role
- Any server where the SNMP feature is enabled alongside NPS
- Systems that accept SNMP traffic from untrusted network segments
In many organizations, SNMP is left active on authentication servers to support network monitoring tools. If those servers are reachable from user VLANs, partner networks, or—worst case—the public internet, the attack surface widens dramatically.
The patches bring affected systems to specific build numbers. Here are the key thresholds for commonly deployed versions:
| Windows Version | Patched Build (or higher) | Update Package |
|---|---|---|
| Windows Server 2022 | 20348.5386 | KB5099540 |
| Windows Server 2025 | 26100.33158 | July 2026 cumulative update |
| Windows 11 24H2 | 26100.8875 | July 2026 cumulative update |
| Windows 11 25H2 | 26200.8875 | July 2026 cumulative update |
| Windows 10 22H2 | 19045.7548 | July 2026 cumulative update |
Systems running builds below these numbers are considered vulnerable. Note that Server Core installations are also affected for supported Windows Server releases.
The Scoring Confusion: Information Disclosure or Denial of Service?
Microsoft's advisory currently presents a puzzling internal inconsistency. The CVE title and description state the impact is information disclosure. Yet the CVSS 3.1 vector string Microsoft submitted is: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. That translates to no impact on confidentiality or integrity, but a high impact on availability.
In plain language: the scoring suggests the bug might crash the service rather than leak data. An out-of-bounds read can certainly cause a process to terminate unexpectedly, so a denial-of-service outcome is plausible. But the advisory's own description leans the other way.
For defenders, this discrepancy matters less than the unauthenticated, network-facing nature of the flaw. Whether an attack leads to stolen memory contents, a service outage, or both, the important point is that a remote adversary without credentials can trigger unsafe memory operations on a server that controls network access. Until Microsoft clarifies the vector, treat the vulnerability as both a potential information leak and a potential stability threat.
Who Should Act First
The update should be prioritized for:
- Network Policy Servers that act as RADIUS servers for Wi-Fi, VPN, or wired 802.1X authentication.
- NPS servers exposed to guest networks, DMZs, or management interfaces reachable from operational subnets.
- Any Windows Server with the SNMP service installed and the NPS role active.
Home users and typical office PCs are not directly affected because they do not run NPS. However, if you manage a small-business server that doubles as an NPS and is exposed to the internet (a risky configuration in any case), patch immediately.
How to Protect Your Infrastructure
Deploy the July 14, 2026 updates
1. Apply the cumulative update via Windows Update, WSUS, or your patch management tool.
2. Reboot servers as required, and verify the build number matches or exceeds the patched version listed above.
3. For NPS servers that handle authentication, test RADIUS functionality, failover, and SNMP polling after patching.
Restrict SNMP access if immediate patching isn't possible
- Limit SNMP traffic to authorized management stations by IP address. Use Windows Firewall or network ACLs.
- Block SNMP (UDP ports 161 and 162) at network boundaries unless explicitly required.
- Disable the SNMP feature entirely on servers that do not need it. On Windows Server, you can remove the SNMP Service via Server Manager or PowerShell.
Monitor for signs of exploitation
- Watch for unexpected NPS service restarts, gaps in RADIUS accounting, or unusual SNMP request patterns.
- Correlate network telemetry with system logs. An out-of-bounds read might not leave a clean signature, so alerting on anomalies is more effective.
- Use Microsoft Defender for Identity or similar tools to detect suspicious SNMP activity against authentication servers.
Audit your SNMP configuration
Many breaches begin with protocols that have been silently left enabled. Take this opportunity to review which servers run SNMP, what community strings (for SNMPv1/v2c) are in use, and whether lockout policies are in place. Migrating to SNMPv3 with authentication and encryption reduces the risk of simple information leaks, though it doesn't eliminate application-layer bugs like this one.
Beyond July's Patch: Rethinking SNMP on Windows
CVE-2026-50496 is a single flaw, but it highlights a broader issue: network-accessible services on critical infrastructure must be minimized and continuously reviewed. SNMP is decades old and often bolted onto Windows servers for legacy monitoring. In a modern environment, consider replacing SNMP with Windows Remote Management (WinRM), Azure Arc monitoring, or other alternatives that offer better security controls.
Microsoft's July 2026 Patch Tuesday also included fixes for other vulnerabilities, but this one stands out because of its network attack vector and its potential impact on authentication services. While no active exploitation was reported at the time of release, the combination of no authentication and low complexity makes it an attractive target for attackers once they understand the details.
The next few weeks will show whether Microsoft revises the CVSS vector or releases additional guidance. For now, the safest course is to assume that an accessible NPS server with SNMP enabled is at risk for both data leakage and service disruption—and to close that door as soon as possible.