On July 14, 2026, Microsoft released cumulative update KB5101650 for Windows 11 versions 24H2 and 25H2, fixing a critical remote code execution (RCE) vulnerability in Windows Media Foundation. Tracked as CVE-2026-57090, the flaw could allow an attacker to take complete control of an unpatched PC simply by tricking a user into opening a malicious media file. The patch is part of a larger July Patch Tuesday release and should be installed on all affected systems immediately.

The Patch and the Vulnerability — What You Need to Know

CVE-2026-57090 is a heap-based buffer overflow in Windows Media Foundation, a core Windows component that handles audio and video processing for countless applications. Microsoft’s Security Response Center assigns it a CVSS 3.1 score of 8.8, placing it squarely in the critical range. The attack vector is network-based, meaning an attacker can deliver the exploit remotely — through a booby-trapped video file sent by email, a malicious website, or any other channel that can deliver crafted media content to a victim.

However, the vulnerability is not "wormable" — it cannot spread on its own across a network without user interaction. To exploit it, an attacker must persuade a user to open or process the malicious file. Once opened, the attacker could execute arbitrary code with the same permissions as the logged-in user. If that user has administrative rights, the attacker gains full system control; otherwise, the damage is limited to that user’s scope — a strong argument for operating with standard user accounts.

The fix for Windows 11 24H2 arrives with OS build 26100.8875, while 25H2 advances to build 26200.8875. It is delivered through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog as part of KB5101650. The update also resolves several other Media Foundation RCE issues, including CVE-2026-57087, CVE-2026-57094, and CVE-2026-56189, making it a critical security bundle for any system that handles media files.

Who Is at Risk and How the Attack Works

Because Windows Media Foundation operates behind the scenes — used by browsers, conferencing apps, digital signage, media editors, and many custom applications — the attack surface is broader than it might appear. Even if you never launch Windows Media Player, your PC may rely on Media Foundation to decode a video you watch in a browser or preview a file in File Explorer.

The attack scenario is straightforward: an attacker crafts a specially formed media file that, when parsed by Windows, triggers a buffer overflow, allowing them to inject and run their own code. In practical terms, this could happen if you download a video from an untrusted source, open an attachment in a phishing email, or even visit a compromised website that attempts to load the malicious content automatically (though modern browser sandboxing may add a layer of defense). Microsoft has not disclosed the exact file formats or trigger conditions, but in similar past cases, common formats like MP4, AVI, or MKV have been vectors.

The good news, for now, is that Microsoft says there is no evidence of active exploitation before the patch was released, and no proof-of-concept code has been made public. But that can change quickly once the update is reverse-engineered. The combination of low attack complexity and network reach makes this type of flaw highly attractive to cybercriminals and spyware developers.

What You Should Do Right Now

Home Users: A Five-Minute Fix

If you’re running Windows 11 version 24H2 or 25H2, navigate to Settings > Windows Update and click “Check for updates.” If KB5101650 is available, install it and reboot when prompted. After the restart, verify your OS build number: go to Settings > System > About, and confirm it reads 26100.8875 (24H2) or 26200.8875 (25H2). If you don’t see the update, your system may be subject to a temporary safeguard hold — Microsoft acknowledges a compatibility issue with certain Dell systems using Intel processors that could cause heat or battery drain problems. In that case, the update will not be offered until the issue is resolved, but you should revisit regularly.

Windows 10 and older Windows 11 versions receive the same fix via different update packages. For example:
- Windows 10 version 21H2 and 22H2: KB5099539
- Windows 10 version 1809 and Windows Server 2019: KB5099538

IT Administrators: A Timely Rollout Is Critical

The presence of a user-interaction requirement often tempts some organizations to treat these patches as less urgent than a wormable network flaw. That’s a mistake. Social engineering remains the most effective infection vector, and a single user opening a contaminated file can lead to lateral movement, ransomware deployment, or data theft. Prioritize workstations where employees routinely handle media files from external sources — marketing departments, customer support, and creative teams are high-value targets.

Test the update on a representative sample of hardware, paying special attention to applications that rely heavily on media processing: video conferencing, web browsers with media playback, media editing suites, and line-of-business apps that incorporate video or audio. Microsoft’s release notes also mention a “networking hardening change involving third-party TDI transports” in this update, so if your organization uses legacy VPN clients or network drivers, include those in your testing.

Microsoft has placed a compatibility hold on a limited set of Dell systems with Intel processors due to potential overheating and battery drain. If your fleet includes those models, you may need to wait for a revised driver or BIOS update before installing KB5101650. Check with Dell and Microsoft for mitigation instructions.

Deploy the update using your standard ring-based methodology, but don’t let an extended pilot phase leave the bulk of your workstations exposed. This is a cumulative update that also delivers all prior security fixes; holding off means you’re leaving numerous other vulnerabilities open as well.

The Bigger Picture: Media Foundation and Cumulative Updates

This isn’t the first time Windows Media Foundation has been in the security spotlight, and it won’t be the last. As a complex multimedia framework dating back to Windows Vista, it parses a wide array of codecs and file formats, making it a perennial target for fuzzing and reverse engineering. Microsoft patches these flaws monthly through their cumulative update model, which bundles all OS security changes into a single package. That’s good for simplicity — you don’t have to cherry-pick individual patches — but it also means that skipping a month leaves you vulnerable to every fixed flaw from that release, not just the one you read about in the headlines.

For users and admins alike, the lesson is straightforward: updates aren’t optional. The July 2026 Patch Tuesday includes fixes for a total of several RCE vulnerabilities in Media Foundation alone, as reported by BleepingComputer. Even if you feel your system is at low risk for this specific CVE, the cumulative nature of Windows servicing means you’re also missing fixes for other, potentially more dangerous issues. Set Windows Update to install automatically, and if you manage IT environments, lock in a maximum deferral period that aligns with your risk tolerance — but keep it short.

Outlook: What Happens Next

Security researchers will undoubtedly compare the patched and unpatched binaries to isolate the exact root cause of CVE-2026-57090. In the past, similar disclosures have led to the rapid development of proof-of-concept code, followed by weaponized exploits. While no active attacks have been observed yet, the window is closing. If you haven’t patched by now, every day increases the odds that an exploit will appear.

Microsoft’s advisories may also be updated if new information emerges — such as active exploitation or additional affected products. Keep an eye on the MSRC site and your regular security news feeds. For most users, however, the best defense is simple: install the July updates, verify they took hold, and continue practicing safe computing — don’t open unexpected attachments, and keep your browser and other apps updated as well.