Microsoft’s July 2026 Patch Tuesday addresses CVE-2026-50431, an information-disclosure vulnerability in the Windows Quality of Service (QoS) Packet Scheduler. While the flaw is rated Important by Microsoft and carries a CVSS 3.1 base score of only 5.5, it affects a sweeping range of Windows versions—from legacy Windows 10 releases all the way up to Windows 11 version 26H1 and Windows Server 2025. The update is the sole remediation path; no workaround exists.

What the vulnerability actually is

CVE-2026-50431 allows a local attacker with limited privileges to extract sensitive information from a Windows system’s memory. According to Microsoft’s advisory, published on July 14, 2026, the bug resides in the QoS Packet Scheduler, a component of the Windows networking stack that prioritizes network traffic based on configured policies.

The attack vector is strictly local (CVSS:AV:L), meaning an adversary must already have code execution on the target machine—through malware, stolen credentials, or a separate compromise. However, once that foothold exists, the attack complexity is low (AC:L), and no user interaction is required (UI:N). Even low-privileged accounts (PR:L) can trigger the leak. The result is high impact on confidentiality (C:H), but integrity and availability are not affected (I:N/A:N). Microsoft has not specified exactly what type of data can be exfiltrated; possibilities include cryptographic keys, plaintext credentials, kernel addresses, or pagefile content.

Because the attack path starts on the local machine, the immediate risk to typical single-user home PCs is limited. The greater concern is in shared environments: terminal servers, virtual desktops, jump boxes, developer workstations, or any system where multiple untrusted users or application identities coexist.

Which Windows versions are affected

The advisory lists an extensive affected-product matrix. Desktop versions include:

  • Windows 10 Version 1607 (corrected at build 14393.9339 via KB5099535)
  • Windows 10 Version 1809 (build 17763.9020 via KB5099538)
  • Windows 10 Versions 21H2 and 22H2 (builds 19044.7548 and 19045.7548, respectively)
  • Windows 11 Version 24H2 (build 26100.8875)
  • Windows 11 Version 25H2 (build 26200.8875)
  • Windows 11 Version 26H1 (build 28000.2269; note that KB5095051, released in June 2026, already includes this correction)
  • Windows Server releases, including Windows Server 2025 (build 26100.33158) and older branches, with Server Core installations also covered

Not every listed OS automatically receives the patch. Some, like Windows 10 1607 and 1809, are only updated through Extended Security Updates (ESU) or specific volume-licensing channels. Administrators must verify not just the OS name but also the full build number (via winver or PowerShell) against the corrected thresholds. Windows 11 26H1 devices that installed the June 2026 cumulative update (KB5095051) are already protected; those on older cumulative updates must apply the July release or later.

Practical impact for different audiences

Home users: The risk is low, but the patch should still be installed as part of regular Windows Update. There is no reason to delay, and the update includes fixes for dozens of other vulnerabilities. Confirm your PC reaches one of the above build numbers after applying updates.

IT administrators: Prioritize systems where multiple users or services share the host. Remote Desktop Session Hosts, Windows 365 Cloud PCs, Azure Virtual Desktop session hosts, and Citrix/VMware Horizon machines deserve faster patching because a low-privileged user could leverage CVE-2026-50431 to read data belonging to other sessions. Developer workstations where containerized or sandboxed processes run under different identities are also higher risk.

Security teams: Don’t let the 5.5 score lull you into complacency. Information-disclosure bugs often act as enablers in exploit chains, undermining ASLR, revealing pointers, or exposing credentials that make privilege escalation more reliable. While Microsoft states exploitation is “less likely” and there was no evidence of active attacks or public disclosure as of July 14, 2026, the landscape can shift once researchers reverse-engineer the patch. Treat this as a normal Patch Tuesday item, but apply the fix within your standard deployment cadence.

How we got here

The QoS Packet Scheduler has been a part of Windows for decades, quietly mapping application traffic to 802.1p priorities. Flaws in kernel-mode networking drivers are relatively common, though many require careful local timing or specific privileges. Microsoft’s decision to rate CVE-2026-50431 Important (rather than Critical) reflects the local attack vector and absence of privilege escalation directly. The CVSS temporal score is further reduced because no exploit code is known (E:U) and an official fix is available (RL:O). But the “Report Confidence: Confirmed” (RC:C) designation simply means Microsoft acknowledges the bug—not that exploitation is impossible.

Interestingly, the Windows 11 26H1 branch already contained the fix through an earlier servicing release. This is typical of Microsoft’s cumulative update model: patches flow into multiple branches as they mature. Organizations that run their own deployment rings might have received the fix weeks earlier if they keep current with preview updates.

What you need to do now

  1. Install the July 2026 cumulative update. Through Windows Update, WSUS, Microsoft Catalog, or endpoint management, deploy the latest servicing stack and cumulative update for your Windows version. A restart is required.
  2. Verify the build number. After patching, check that your OS build matches or exceeds the corrected thresholds above. For example:
    - Windows 10 21H2: 19044.7548 or later
    - Windows 10 22H2: 19045.7548 or later
    - Windows 11 24H2: 26100.8875 or later
    - Windows Server 2025: 26100.33158 or later
  3. Do not attempt workarounds. Microsoft provides no mitigation for this vulnerability. Disabling QoS policies via Group Policy, or assuming that the Packet Scheduler is inactive if no applications request prioritization, will not close the attack surface. The vulnerable code exists in the driver and is loaded regardless of policy configuration.
  4. Scan your inventory. Use vulnerability management tools to identify any endpoints that have not yet reached the corrected build. Configuration Manager, Intune, Windows Admin Center, or third-party scanners can report on build numbers across your fleet.
  5. Plan for future patches. If you are running a version that requires ESU (e.g., Windows 10 1607/1809), ensure your licensing is in order, as the July update may not appear on unlicensed machines.

What to watch next

Microsoft has not released a detailed root-cause analysis, nor has the CVE entry been enriched with additional details in the National Vulnerability Database as of this writing. Once researchers compare the corrected and vulnerable binaries, proof-of-concept code could surface, potentially raising the risk. At that point, organizations that have not yet patched will face greater urgency.

Separately, Microsoft’s assessment of “less likely” exploitation could change if the company later revises the advisory to reflect active attacks. Security teams should watch for updates to the MSRC page and any new blog posts from third-party researchers dissecting the flaw. For now, though, applying the July 2026 Patch Tuesday updates is the straightforward, definitive answer to CVE-2026-50431.