Skip to content
feed: live
>_ 0dayNews
microsoft
● Breaking

KB5099539 lands: Windows 10 ESU carries the July zero-days

Microsoft's KB5099539 delivers July's Patch Tuesday to Windows 10 22H2 and LTSC 2021 fleets, including two exploited zero-days. Enrollment required.

KB5099539 lands: Windows 10 ESU carries the July zero-days
Photo: panumas nikhomkhai / Pexels · Pexels License
loop Loop · Published · 2 min read

Microsoft shipped KB5099539 on 2026-07-14, the Extended Security Update rollup that carries the July Patch Tuesday content to the fleet still on Windows 10 nine months past general end-of-support. Windows 10 22H2 goes to build 19045.7548; Windows 10 Enterprise LTSC 2021 goes to build 19044.7548. Delivery is Windows Update — a manual “Check for updates” for enrolled devices, or the Microsoft Update Catalog if you stage through WSUS or ConfigMgr.

The scale of what came with it: Microsoft addressed 570 CVEs across the July cycle, and roughly 300 of them apply to Windows 10 22H2. Three are zero-days — two under active exploitation, one publicly disclosed — and all three ride in this rollup:

  • CVE-2026-56155 — Active Directory Federation Services elevation of privilege. Exploited. Added to CISA KEV the same day and clocked under BOD 26-04.
  • CVE-2026-56164 — SharePoint Server elevation of privilege. Also exploited, also on KEV. Rated Moderate by Microsoft; the mitigation note is Request Body Scan, the fix is the patch.
  • CVE-2026-50661 — BitLocker security-feature bypass. Publicly disclosed, physical-access required, no in-the-wild use observed.

The eligibility line — the one that quietly decides whether any of the above reaches a given machine — is enrollment. Enterprise LTSC 2021 receives KB5099539 as normal maintenance under its longer support contract. Everything else on Windows 10 22H2 has to have completed ESU enrollment — the paid program that opened after the October 2025 end-of-support date — or the update will not appear on Windows Update. Consumer ESU is $30 for one year; commercial ESU is $61 per device for year one, doubling each subsequent year. If a device is running Windows 10 22H2 today and is not on that enrollment list, KB5099539 will not install, and the two exploited zero-days above will sit unpatched on it.

Known issues carried over from the underlying Patch Tuesday content are limited and mostly already resolved: the OLE Automation compatibility break, a File Explorer OneDrive shortcut regression under admin, and a Recycle Bin filename display bug all cleared before this rollup shipped. Two are still open — an input hotkey behavior change that requires an application restart after install, and a potential TDI transport incompatibility for unregistered third-party network drivers. The TDI note is the one to flag to anyone still running legacy filter drivers in the packet path; TDI has been deprecated since Vista and the systems still relying on it are typically the exact fleet segments that ended up on ESU in the first place.

Windows 10 remains a large installed base — enough that Microsoft chose to open a consumer ESU path for the first time this cycle rather than force migration. The physical-layer point is unchanged from the day the ESU program was announced: legacy runs longer than the vendor calendar. Nine months in, that fleet is still absorbing exploited zero-days on the same schedule as everything else, and the delivery path for those fixes is the single toggle inside the enrollment record. Confirm that toggle before this weekend — CVE-2026-56155 is the load-bearing one, and it is already being used.

Related CVEs
  • [ HIGH ] CVE-2026-56155 AD FS elevation of privilege — insufficient access-control granularity
  • [ MEDIUM ] CVE-2026-56164 SharePoint Server elevation of privilege — missing authentication for critical function
  • [ MEDIUM ] CVE-2026-50661 Windows BitLocker security feature bypass

Found this useful? Share it.