On July 14, 2026, Microsoft released its monthly round of security fixes, and among them is a patch that Windows 11 and Windows Server 2025 administrators shouldn’t ignore. The vulnerability, tracked as CVE-2026-44800, sits inside the Windows Push Notifications component and carries a CVSS 3.1 score of 7.8—high severity. It can be exploited by someone who already has a foothold on your machine to escalate their privileges and potentially take full control.
Microsoft assigns it an “Important” severity rating, but don’t let that understated label fool you. With local access and low privileges required, an attacker who manages to run code on your PC—through a malicious document, a compromised app, or stolen credentials—could use this bug to jump from subdued user to all-powerful administrator or SYSTEM.
The Flaw: A Race Condition in Push Notifications
CVE-2026-44800 stems from a classic programming mistake: a race condition. Microsoft’s Security Response Center describes it as “improperly synchronized access to a shared resource.” More specifically, the National Vulnerability Database links it to two common weakness enumerations: CWE-362 (concurrent execution using shared resource with improper synchronization) and CWE-416 (use after free).
In practical terms, the Windows Push Notifications service can be tricked into a state where one thread modifies or releases a memory object while another thread is still using it. If an attacker times the operation just right, they can corrupt memory and seize control of the notification process—which runs with higher privileges than a normal user. That elevation then becomes a stepping stone to the rest of the system.
The attack complexity is rated high, meaning that pulling off the exploit requires precise timing and likely multiple attempts. It’s not a point-and-click attack. But “high complexity” is not the same as “impossible.” Determined attackers routinely string together multiple vulnerabilities, and a local privilege escalation like this is exactly the kind of second-stage payload that turns a minor phishing incident into a full-blown system compromise.
What Microsoft Fixed—and What It Didn’t Disclose
Microsoft’s advisory confirms the vulnerability exists and was addressed in the July 2026 cumulative updates. However, the company has not published technical details about which specific function or object is vulnerable, nor has it released proof-of-concept code. That’s standard practice: it gives organizations time to patch before attackers can reverse-engineer the fix.
At the time of disclosure, Microsoft reported no evidence of active exploitation in the wild. But that assessment can change quickly. The vulnerability is now public, and adversaries will study the patch to develop working exploits. The window between patch release and exploitation attempts is shrinking industry-wide.
What we do know is that the flaw affects all supported editions of Windows 11 (23H2, 24H2, 25H2, and 26H1) and Windows Server 2025, on both x64- and Arm64-based systems. Windows 10 and older server releases are not listed as affected, which suggests the vulnerable code was introduced or exposed only in newer builds.
For Windows 11 version 26H1, the fix is already baked into the June 2026 update (KB5095051, build 28000.2269). So if you’re running that release and have kept current, you’re already protected. For everyone else, the July update is your required medicine.
What It Means for You
The practical impact of CVE-2026-44800 depends on who you are and how you use Windows.
For Home Users and Personal PCs
If you’re running Windows 11 and use your computer for everyday tasks—email, browsing, gaming, document editing—the risk is moderate but real. You’re most likely to encounter this vulnerability as part of a multi-stage attack. A phishing email might trick you into opening a booby-trapped Office file that drops malware running under your user account. From there, the malware could exploit the push notification bug to gain administrator privileges, disable your antivirus, install a keylogger, or encrypt your files for ransom.
The good news? Windows Update delivers the fix automatically for most home users. The July 2026 cumulative update (KB5099414 for 23H2; KB5101650 for 24H2 and 25H2) will download and install on its own if you haven’t deferred updates. After installation, a restart will complete the patching. To verify you’re protected, check your OS build number: 22631.7376 for 23H2, 26100.8875 for 24H2, or 26200.8875 for 25H2. You can find this by running winver from the Start menu or looking under Settings > System > About.
For IT Administrators and Enterprise Environments
The stakes are higher in organizations. Shared workstations, virtual desktops, kiosks, terminal servers, and any machine where multiple users log in or where untrusted code can run are prime targets. A low-privilege domain user who exploits this bug can laterally jump to other systems or compromise critical servers.
Windows Server 2025 is explicitly vulnerable (builds below 26100.33158), including Server Core installations. If you use Server 2025 for remote desktop services, application hosting, or as a jump host, prioritize patching those machines. The update for Server 2025 is KB5099536.
Microsoft hasn’t provided a workaround short of installing the update. Disabling push notifications entirely isn’t a reliable mitigation—it may break app functionality without definitively closing the privilege boundary. Your best—and only—course is to test and deploy the cumulative updates.
For compliance-minded teams, the relevant patching thresholds are:
- Windows 11 23H2: Build 22631.7376 or later (KB5099414)
- Windows 11 24H2: Build 26100.8875 or later (KB5101650)
- Windows 11 25H2: Build 26200.8875 or later (KB5101650)
- Windows Server 2025: Build 26100.33158 or later (KB5099536)
Use Windows Update for Business reports, Microsoft Intune, or Configuration Manager to confirm that devices have crossed these lines. A pending restart means the update hasn’t been fully applied, so enforce your usual compliance deadlines.
How We Got Here: Push Notifications and the Privilege Problem
Windows Push Notifications (WPN) is the service that delivers toast notifications, tile updates, and background alerts from Microsoft Store apps. It runs with elevated privileges because it needs to interact with the lock screen, action center, and other system-level components. The service has been a part of Windows since Windows 8, but its implementation has evolved across each release.
Race conditions in privileged system services aren’t new. Microsoft has patched similar bugs in the past, such as CVE-2023-21554 in Windows COM+ Event System and CVE-2024-20666 in Windows Kernel. The common thread is that local privilege escalation vulnerabilities offer attackers a reliable way to breach the boundary between user and administrator. Once that line is crossed, the machine is effectively owned.
The discovery of CVE-2026-44800 likely came through Microsoft’s internal security auditing, a partner reported it through the Microsoft Security Response Center, or it was uncovered during a third-party security assessment. The advisory doesn’t credit an external researcher, which often points to in-house discovery.
The vulnerability’s “scope changed” CVSS designation is particularly noteworthy. It indicates that an exploit could allow the attacker to cross a security boundary—for example, from a user’s session to the SYSTEM account or from a low-privilege AppContainer to the main kernel. This adds to the severity because it breaks the isolation that normally contains low-integrity processes.
What to Do Now
- Install the July 2026 Cumulative Update immediately. For Windows 11 devices, that means accepting KB5099414 (23H2) or KB5101650 (24H2/25H2). For Windows Server 2025, apply KB5099536. If you’re on Windows 11 26H1 with the June update already installed, you’re done.
- Verify your build number. After rebooting, check that the OS build meets or exceeds the thresholds listed above. Do not rely on “up to date” messages alone—incomplete installations happen.
- Audit vulnerable machines. In enterprise environments, scan your network for Windows 11 and Server 2025 systems that have not received the July patches. Pay special attention to virtual desktop pools, lab machines, and any device that might have missed previous updates.
- Harden endpoint security. While no direct indicators of compromise exist for this CVE, general detections for privilege escalation behavior—token manipulation, unexpected service creation, process injections from Office macros—can flag suspicious activity. Make sure your EDR rules are tuned accordingly.
- Plan for the patch cycle. Don’t wait for an exploit to appear in the Metasploit framework. While the attack complexity is high, public availability of a proof-of-concept often follows within weeks of a patch release. The time to act is now.
Outlook: What to Watch Next
CVE-2026-44800 is likely just one of several local privilege escalation vulnerabilities that will be patched in the coming year. The rapid adoption of Windows 11 and Server 2025, along with new features that tap deeper into core system components, expands the attack surface. Security researchers and threat actors alike will probe the new code.
Microsoft typically publishes more technical detail—or even a case study—months after a patch ships, once most customers have applied the fix. Keep an eye on the Microsoft Security Response Center blog and the Security Research & Defense blog for a potential deep-dive. In the meantime, treat this vulnerability as the credible local threat it is, and patch your systems.