CVE-2026-50694
Received Received - Intake

Use After Free in Windows SSTP

Vulnerability report for CVE-2026-50694, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Use after free in Windows Secure Socket Tunneling Protocol (SSTP) allows an unauthorized attacker to execute code over a network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft windows_secure_socket_tunneling_protocol *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50694 is a use-after-free vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP). This type of vulnerability occurs when a program continues to use memory after it has been freed, which can lead to unexpected behavior or exploitation.

In this case, an unauthorized attacker can exploit this flaw to execute arbitrary code over a network. The vulnerability does not require any privileges or user interaction, making it particularly dangerous.

Impact Analysis

This vulnerability can have severe impacts if exploited.

  • An attacker could execute arbitrary code on a vulnerable system remotely, potentially taking full control of the affected machine.
  • This could lead to data theft, installation of malware, or further compromise of networked systems.
  • Since the attack can be carried out over a network, systems exposed to the internet or untrusted networks are at higher risk.
Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the context of the affected systems.

  • GDPR: If the vulnerable system processes or stores personal data of EU citizens, a successful exploit could lead to unauthorized access or data breaches. GDPR requires organizations to implement appropriate security measures to protect personal data, and a failure to patch this vulnerability could be seen as a violation.
  • HIPAA: For organizations handling protected health information (PHI), this vulnerability could result in unauthorized access to sensitive patient data. HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of PHI, and exploitation of this flaw could constitute a breach.
  • Other standards like PCI DSS (for payment card data) or industry-specific regulations may also be affected if the vulnerable system handles sensitive or regulated data.

Organizations should assess their exposure and apply patches or mitigations promptly to avoid potential compliance violations.

Mitigation Strategies

Apply the security update provided by Microsoft to address CVE-2026-50694. The update can be found in the Microsoft Update Guide for this vulnerability.

  • Ensure all Windows systems running the Secure Socket Tunneling Protocol (SSTP) are updated to the latest patched version.
  • Monitor Microsoft's security advisories for any additional guidance or workarounds if the update cannot be applied immediately.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart