CVE-2026-49792: Patch ReFS Local RCE in July 14 Windows Updates

CVE-2026-49792, an Important-rated flaw in the Windows Resilient File System, can let an authenticated local attacker execute code on affected Windows 10, Windows 11, and Windows Server systems. Microsoft addressed the vulnerability in its July 14, 2026 security updates, and administrators running ReFS workloads should prioritize deployment even though the issue is not known to be exploited.
Microsoft’s Security Response Center describes the defect as a numeric truncation error in ReFS. The National Vulnerability Database assigns it a CVSS 3.1 base score of 7.8, reflecting low attack complexity, limited privileges required, no user interaction, and potentially high impact to confidentiality, integrity, and availability.
Despite Microsoft’s “Remote Code Execution” title, the published CVSS vector is local: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That distinction matters. The available record does not describe a network-reachable, unauthenticated route into a Windows server; it describes an authorized attacker executing code locally after obtaining some level of access.

Cybersecurity dashboard highlights a local privilege escalation CVE, ReFS storage, and Windows patch deployment.The RCE Label Needs a Local-Attack Asterisk​

Remote code execution usually evokes an attacker sending traffic to an exposed service and gaining control without first logging in. CVE-2026-49792 does not currently fit that conventional picture.
Microsoft’s CVE description says an “authorized attacker” can execute code locally, while the attack-vector field explicitly requires local access and low privileges. A more operationally useful reading is that this is a post-access code-execution vulnerability: an attacker must first reach the machine or obtain a suitable execution context, but successful exploitation could then produce a much more serious compromise.
Microsoft has not publicly detailed the exact ReFS object, operation, or malformed input needed to reach the vulnerable code path. It also has not explained whether exploitation depends on mounting or processing attacker-controlled ReFS storage, issuing particular file-system operations, or interacting with a specially prepared volume.
That missing detail limits defenders’ ability to construct a narrow workaround. It also argues against treating assumptions about malicious virtual disks, removable media, backup files, or Storage Spaces configurations as confirmed attack scenarios. The vendor has identified the vulnerable component and root weakness, but the public advisory does not yet expose enough mechanics to reduce the problem to one clearly defined workflow.

Numeric Truncation Can Turn Size Errors Into Code Execution​

Microsoft maps CVE-2026-49792 to CWE-197, Numeric Truncation Error. This class of bug occurs when software converts a numeric value into a type that cannot preserve the original range or precision.
In file-system code, numeric values can represent lengths, offsets, allocation sizes, record counts, or positions within on-disk structures. If a large value is reduced to a smaller integer unexpectedly, subsequent validation or memory allocation may operate on the truncated number while another part of the code continues to process the original value.
Microsoft has not confirmed that exact sequence for CVE-2026-49792, so it should not be treated as a published exploit analysis. The CVSS impact fields nevertheless indicate that Microsoft believes successful exploitation could permit code execution with high consequences across data exposure, modification, and system availability—not merely a ReFS volume crash.
The CVSS scope remains unchanged, meaning exploitation does not formally cross into a different security authority under the scoring model. That does not make the outcome harmless. Code execution inside a privileged file-system component can still provide a powerful step in a broader attack chain, depending on the execution context Microsoft’s fix protects.

Affected Builds Span Desktop and Server Windows​

The published CVE record identifies a broad set of affected releases, including older Windows branches still serviced through enterprise or extended-support channels. The corrected build thresholds provide administrators with a direct way to verify deployment:
  • Windows 10 Version 1607 and Windows Server 2016 must reach build 14393.9339 or later.
  • Windows 10 Version 1809 and Windows Server 2019 must reach build 17763.9020 or later.
  • Windows 10 Version 21H2 must reach build 19044.7548 or later.
  • Windows 10 Version 22H2 must reach build 19045.7548 or later.
  • Windows Server 2022 must reach build 20348.5386 or later.
  • Windows 11 Version 24H2 must reach build 26100.8875 or later.
  • Windows 11 Version 25H2 must reach build 26200.8875 or later.
  • Windows 11 version 26H1 must reach build 28000.2269 or later.
  • Windows Server 2025 must reach build 26100.33158 or later.
Server Core installations of Windows Server 2016, Windows Server 2019, and Windows Server 2025 are also listed as affected. That is significant for administrators who might otherwise assume the reduced interface and component footprint of Server Core eliminates exposure.
The presence of Windows client versions in the affected list does not mean every home PC actively uses an ReFS-formatted volume. It does mean the vulnerable ReFS implementation is present in covered Windows builds, and Microsoft’s supported remediation is the applicable cumulative security update rather than an ReFS-only package.
Administrators can check the installed OS build with winver, PowerShell’s Get-ComputerInfo, or their endpoint-management inventory. Build comparison is especially useful where July updates are deployed through rings and devices may report that updates were checked without having installed the current cumulative package.

ReFS Servers Deserve the Shorter Patch Window​

CVE-2026-49792 was one of several ReFS vulnerabilities disclosed in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 corrected vulnerabilities across Microsoft products, while the Zero Day Initiative catalogued CVE-2026-49792 as Important, CVSS 7.8, and neither publicly disclosed nor exploited at release.
Those status fields provide useful context but should not become a reason to postpone the update indefinitely. “Not exploited” means Microsoft had not identified exploitation when the advisory was published on July 14; it is not a prediction that exploitation will remain absent after attackers compare vulnerable and corrected binaries.
Risk is also uneven across the Windows estate. A workstation with no ReFS storage in ordinary use presents a different practical exposure from a Windows Server 2025 host using ReFS for virtualization, backup repositories, Storage Spaces, or large data volumes.
For server teams, the sensible deployment order is therefore based on both component use and compromise potential. Systems that actively mount ReFS volumes, accept storage artifacts from less-trusted sources, host multi-user workloads, or sit inside environments where a low-privileged foothold is plausible should move toward the front of the July patch queue.
Disabling or migrating ReFS is unlikely to be a proportionate first response unless updates cannot be installed and the administrator fully understands the workload impact. ReFS may underpin Hyper-V storage, backup chains, deduplication-related designs, and other capacity-sensitive deployments. Microsoft has not published a CVE-specific workaround that substitutes for patching.

Patch Verification Matters More Than the Advisory’s Confidence Language​

The supplied vulnerability metadata discusses confidence in whether a flaw exists and how much technical detail is known. For CVE-2026-49792, the existence of the vulnerability is not speculative: Microsoft assigned the CVE, identified ReFS as the affected component, classified the weakness, scored the impact, listed affected builds, and shipped corrected Windows versions.
What remains incomplete is the public exploit narrative. There is no vendor-provided proof of concept, detailed triggering sequence, or documented precondition beyond the local, low-privilege attack vector in the CVSS record.
That combination produces a clear operational decision. Defenders do not need to wait for deeper research to establish whether the vulnerability is real, but they should avoid presenting it internally as an unauthenticated network takeover without evidence.
After installing the July 2026 cumulative update, administrators should verify that devices have crossed the applicable fixed-build threshold and completed any required restart. Vulnerability scanners and compliance tools should be checked against actual OS build data rather than merely the presence of an update approval, particularly on Server Core machines and clustered systems with staggered maintenance.
CVE-2026-49792 is a confirmed, high-impact local attack path hiding behind an RCE label—not a demonstrated wormable ReFS exploit. The immediate consequence is straightforward: patch actively used ReFS servers first, then confirm every affected Windows branch has reached its corrected July 2026 build.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top