CVE-2026-49793, a heap-based buffer overflow in the Windows Resilient File System, has been fixed across supported Windows 10, Windows 11, and Windows Server releases in Microsoft’s July 14, 2026 security updates. Despite Microsoft’s “Remote Code Execution” vulnerability title, the published attack vector describes an authenticated local attack, not unauthenticated code execution over a network.
Microsoft assigned CVE-2026-49793 a CVSS 3.1 score of 7.8, rated High, and identified the underlying weakness as CWE-122: Heap-based Buffer Overflow. The National Vulnerability Database reproduces Microsoft’s description: an authorized attacker can exploit ReFS to execute code locally without requiring user interaction.
That distinction matters for patch prioritization. CVE-2026-49793 is capable of producing a severe compromise after an attacker obtains low-privilege access, but the available evidence does not describe a wormable flaw that can directly compromise an exposed Windows machine from the internet.
Microsoft’s CVSS vector is
Successful exploitation could result in a complete loss of confidentiality, integrity, and availability within the affected security scope. An attacker who already has access to a machine could potentially use the memory-corruption condition to run code, access protected information, alter data, or disrupt the system.
The vulnerability therefore belongs in the post-compromise escalation category. Initial access could come from stolen credentials, malware, a compromised remote-management account, a malicious insider, or another vulnerability. CVE-2026-49793 could then provide a route from that limited foothold to more consequential code execution.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data records no known exploitation and marks the vulnerability as not readily automatable. It nevertheless assigns “total” technical impact, reflecting what a successful exploit could accomplish rather than evidence that attacks are already occurring.
As of July 14, Microsoft is the source of the confirmed technical details. The vendor acknowledgement gives the vulnerability a high degree of credibility, but public documentation remains limited: Microsoft has not published exploit mechanics, proof-of-concept code, or a detailed account of which ReFS operation reaches the vulnerable heap allocation.
Microsoft classifies the attack vector as local, requires low privileges, and describes the attacker as authorized. That combination makes the vulnerability materially different from an unauthenticated ReFS attack reachable through SMB, a remotely mounted share, or a public-facing service.
The “Remote Code Execution” wording can still reflect the ultimate impact category used in Microsoft’s Security Update Guide, but defenders should base exposure decisions on the detailed vector. For CVE-2026-49793, the currently published facts point to local exploitation after access has already been established.
There is also no evidence in the initial record that simply enabling file sharing exposes ReFS to direct exploitation. Administrators should avoid inventing network mitigations unsupported by the advisory, such as assuming that closing SMB ports alone removes the risk.
The security boundary is unchanged in the CVSS vector, meaning execution remains within the same security authority rather than crossing into a separate component’s scope. Even so, high confidentiality, integrity, and availability impacts make the bug useful in a multi-stage intrusion if an attacker can reliably reach the vulnerable ReFS code path.
Affected releases and their first fixed build thresholds include:
Administrators should verify the resulting OS build after deployment rather than relying solely on an update-management console’s “installed” status.
The presence of Windows 10 21H2, Windows 10 22H2, and older server branches does not mean every edition remains entitled to standard public servicing. Patch availability depends on the edition, servicing channel, and any applicable Extended Security Updates arrangement.
Defenders should prioritize machines that actively mount or process ReFS volumes, particularly systems where less-trusted users, services, backup agents, virtual-machine tooling, or administrative automation can interact with storage. Hyper-V hosts and storage-focused Windows Server deployments deserve early testing because an emergency rollback or storage interruption on those machines can carry substantial business impact.
That does not justify leaving ordinary Windows clients unpatched. ReFS support appears across the affected Windows families, and the affected-product list is based on vulnerable code rather than Microsoft’s estimate of how commonly each machine uses the file system.
Organizations that cannot deploy immediately should reduce opportunities for untrusted local access, review membership in local access groups, monitor newly attached or mounted storage, and investigate unusual processes interacting with ReFS volumes. These measures constrain the prerequisite foothold but do not repair the memory-safety defect.
Security teams should also watch for changes to Microsoft’s exploitation assessment. The initial CISA data says exploitation is not known, while the NVD entry remains under enrichment. A public proof of concept, additional researcher analysis, or evidence of active attacks would change the urgency even though the patch itself would remain the required fix.
For now, CVE-2026-49793 is best treated as a high-impact local code-execution vulnerability whose advisory title sounds more remotely reachable than its published vector indicates. The practical response is straightforward: deploy the July 14 updates, confirm the fixed build, and move ReFS-heavy Windows Server systems to the front of the validation queue.
Microsoft assigned CVE-2026-49793 a CVSS 3.1 score of 7.8, rated High, and identified the underlying weakness as CWE-122: Heap-based Buffer Overflow. The National Vulnerability Database reproduces Microsoft’s description: an authorized attacker can exploit ReFS to execute code locally without requiring user interaction.
That distinction matters for patch prioritization. CVE-2026-49793 is capable of producing a severe compromise after an attacker obtains low-privilege access, but the available evidence does not describe a wormable flaw that can directly compromise an exposed Windows machine from the internet.
The Attack Begins With an Existing Foothold
Microsoft’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access and low privileges, while attack complexity is considered low and no additional user action is necessary.Successful exploitation could result in a complete loss of confidentiality, integrity, and availability within the affected security scope. An attacker who already has access to a machine could potentially use the memory-corruption condition to run code, access protected information, alter data, or disrupt the system.
The vulnerability therefore belongs in the post-compromise escalation category. Initial access could come from stolen credentials, malware, a compromised remote-management account, a malicious insider, or another vulnerability. CVE-2026-49793 could then provide a route from that limited foothold to more consequential code execution.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data records no known exploitation and marks the vulnerability as not readily automatable. It nevertheless assigns “total” technical impact, reflecting what a successful exploit could accomplish rather than evidence that attacks are already occurring.
As of July 14, Microsoft is the source of the confirmed technical details. The vendor acknowledgement gives the vulnerability a high degree of credibility, but public documentation remains limited: Microsoft has not published exploit mechanics, proof-of-concept code, or a detailed account of which ReFS operation reaches the vulnerable heap allocation.
“Remote Code Execution” Needs Careful Reading
The advisory’s name may lead administrators to assume that an attacker can send specially crafted network traffic to a Windows Server host and immediately obtain code execution. The CVSS vector and CVE description do not support that interpretation.Microsoft classifies the attack vector as local, requires low privileges, and describes the attacker as authorized. That combination makes the vulnerability materially different from an unauthenticated ReFS attack reachable through SMB, a remotely mounted share, or a public-facing service.
The “Remote Code Execution” wording can still reflect the ultimate impact category used in Microsoft’s Security Update Guide, but defenders should base exposure decisions on the detailed vector. For CVE-2026-49793, the currently published facts point to local exploitation after access has already been established.
There is also no evidence in the initial record that simply enabling file sharing exposes ReFS to direct exploitation. Administrators should avoid inventing network mitigations unsupported by the advisory, such as assuming that closing SMB ports alone removes the risk.
The security boundary is unchanged in the CVSS vector, meaning execution remains within the same security authority rather than crossing into a separate component’s scope. Even so, high confidentiality, integrity, and availability impacts make the bug useful in a multi-stage intrusion if an attacker can reliably reach the vulnerable ReFS code path.
The Patch Reaches Windows 10 Through Server 2025
The affected-product record is broad. Microsoft lists older servicing branches alongside current Windows 11 and Windows Server versions, including Server Core installations.Affected releases and their first fixed build thresholds include:
- Windows 10 version 1607 and Windows Server 2016 are fixed at build 14393.9339 or later.
- Windows 10 version 1809 and Windows Server 2019 are fixed at build 17763.9020 or later.
- Windows 10 versions 21H2 and 22H2 are fixed at builds 19044.7548 and 19045.7548, respectively.
- Windows Server 2022 is fixed at build 20348.5386 or later.
- Windows 11 version 24H2 is fixed at build 26100.8875 or later.
- Windows 11 version 25H2 is fixed at build 26200.8875 or later.
- Windows 11 version 26H1 is fixed at build 28000.2269 or later.
- Windows Server 2025 is fixed at build 26100.33158 or later.
Administrators should verify the resulting OS build after deployment rather than relying solely on an update-management console’s “installed” status.
winver, the Settings app, Get-ComputerInfo, and normal endpoint-management inventory can all confirm whether a machine has reached the fixed build.The presence of Windows 10 21H2, Windows 10 22H2, and older server branches does not mean every edition remains entitled to standard public servicing. Patch availability depends on the edition, servicing channel, and any applicable Extended Security Updates arrangement.
ReFS Makes Server Inventories the Priority
ReFS is used most heavily in Windows Server environments, including storage systems, virtualization infrastructure, backup repositories, and workloads designed around large volumes and data-integrity features. Those roles make affected servers more operationally sensitive even though the vulnerability is not described as remotely exploitable.Defenders should prioritize machines that actively mount or process ReFS volumes, particularly systems where less-trusted users, services, backup agents, virtual-machine tooling, or administrative automation can interact with storage. Hyper-V hosts and storage-focused Windows Server deployments deserve early testing because an emergency rollback or storage interruption on those machines can carry substantial business impact.
That does not justify leaving ordinary Windows clients unpatched. ReFS support appears across the affected Windows families, and the affected-product list is based on vulnerable code rather than Microsoft’s estimate of how commonly each machine uses the file system.
Organizations that cannot deploy immediately should reduce opportunities for untrusted local access, review membership in local access groups, monitor newly attached or mounted storage, and investigate unusual processes interacting with ReFS volumes. These measures constrain the prerequisite foothold but do not repair the memory-safety defect.
Security teams should also watch for changes to Microsoft’s exploitation assessment. The initial CISA data says exploitation is not known, while the NVD entry remains under enrichment. A public proof of concept, additional researcher analysis, or evidence of active attacks would change the urgency even though the patch itself would remain the required fix.
For now, CVE-2026-49793 is best treated as a high-impact local code-execution vulnerability whose advisory title sounds more remotely reachable than its published vector indicates. The practical response is straightforward: deploy the July 14 updates, confirm the fixed build, and move ReFS-heavy Windows Server systems to the front of the validation queue.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com