CVE-2026-49797: Patch Windows NTFS RCE in July 14 Updates

CVE-2026-49797, a heap-based buffer overflow in Windows NTFS, was fixed in Microsoft’s July 14, 2026 security updates and can allow an unauthenticated attacker to execute code after a user interacts with malicious content. Despite Microsoft’s “Windows NTFS Remote Code Execution Vulnerability” title, the published CVSS data classifies the attack vector as local rather than network-based, making this a user-assisted file or storage attack—not a wormable NTFS service flaw.
Microsoft rates CVE-2026-49797 as Important, with a CVSS 3.1 base score of 7.8. The Microsoft Security Response Center lists the vulnerability as neither publicly disclosed nor exploited when the update was released, while the Zero Day Initiative and SANS Internet Storm Center independently recorded the same status in their July Patch Tuesday coverage.
The practical instruction is straightforward: deploy the July cumulative updates across supported Windows clients and servers. Administrators should not interpret the local attack vector as a reason to defer remediation, particularly on systems whose users routinely handle downloaded archives, disk images, removable media, email attachments, or files supplied by external parties.

Cybersecurity infographic illustrating Windows updates and a local NTFS heap-based buffer overflow attack flow.“Remote Code Execution” Does Not Mean Network-Reachable​

The naming deserves clarification because “remote code execution” often suggests that an attacker can send traffic directly to an exposed Windows service. Microsoft’s CVSS vector for CVE-2026-49797 is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which says something more constrained.
The attack has low complexity and requires no existing privileges, but it does require local processing and user interaction. A successful exploit could have a high impact on confidentiality, integrity, and availability, meaning arbitrary code execution could expose data, alter the system, or disrupt its operation.
That combination commonly describes a scenario in which an attacker delivers a specially crafted object and convinces a user to open, mount, extract, attach, or otherwise process it. Microsoft’s public CVE description does not yet spell out the exact carrier or interaction required, so it would be premature to declare that a particular extension, disk-image format, archive type, or removable-media workflow is responsible.
The important distinction is between delivery and execution context. A malicious file can arrive remotely through email, a browser download, Microsoft Teams, OneDrive, an SMB share, or another channel while the vulnerable NTFS operation still occurs locally on the endpoint.
This is therefore not equivalent to an unauthenticated attacker sending one packet to TCP port 445 and taking over a machine. It remains an RCE-class weakness because exploitation may result in attacker-controlled code running on the target, but the disclosed metrics indicate that another step must bring the crafted content into contact with the vulnerable NTFS code.

A Confirmed Flaw Is Not a Confirmed Attack​

Microsoft marks the vulnerability’s report confidence as Confirmed. That field addresses the credibility of the vulnerability report and the underlying technical evidence; it does not indicate that attackers are already exploiting the flaw.
In this case, confirmation means Microsoft has acknowledged the defect and supplied a security fix. The National Vulnerability Database identifies the weakness as CWE-122, a heap-based buffer overflow, and reproduces Microsoft’s description that an unauthorized attacker could execute code locally.
Heap corruption vulnerabilities can be difficult to exploit reliably because successful code execution depends on memory layout, reachable code paths, mitigations, and the attacker’s ability to control corrupted data. They can also become more dangerous after researchers compare patched and unpatched binaries—a process known as patch diffing—and determine precisely which NTFS routine Microsoft changed.
That is why the status at publication should be read narrowly:
  • Microsoft had confirmed that the vulnerability existed and had issued a correction.
  • Microsoft had not identified public disclosure before the July 14 release.
  • Microsoft had not reported exploitation in the wild at publication.
  • SANS and the Zero Day Initiative listed CVE-2026-49797 as Important, with no public disclosure or known exploitation.
Those facts lower the immediate emergency level compared with an actively exploited zero-day, but they do not eliminate the post-disclosure risk. Once a cumulative update becomes available, defenders and attackers can both study the change.

NTFS Puts the Patch Across the Windows Fleet​

CVE-2026-49797 affects a broad range of Windows releases because NTFS is a foundational component rather than an optional application. Microsoft’s affected-product data covers Windows 10, Windows 11, and Windows Server editions, including Server Core installations.
For current Windows 11 branches, affected systems include Windows 11 version 24H2 before build 26100.8875, Windows 11 version 25H2 before build 26200.8875, and Windows 11 version 26H1 before build 28000.2269. The listing includes both x64 and Arm64 systems.
Windows 10 versions represented in the affected data include version 1607 before build 14393.9339, version 1809 before build 17763.9020, version 21H2 before build 19044.7548, and version 22H2 before build 19045.7548. Some of those branches remain relevant through specific servicing channels or editions even though ordinary consumer support has ended for older releases.
On the server side, the affected list stretches from Windows Server 2012 and Windows Server 2012 R2 through Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core is explicitly included where Microsoft maintains a separate product entry, confirming that the absence of the desktop shell does not remove the vulnerable NTFS component.
Windows Server 2022 systems need a build at or above 20348.5386, while Windows Server 2025 is corrected at build 26100.33158 or later. Windows Server 2016 and Windows Server 2019 share the corresponding 14393.9339 and 17763.9020 thresholds with their Windows 10 codebase relatives.
Administrators should use the installed operating-system build and their normal Windows Update, Windows Server Update Services, Microsoft Configuration Manager, or Windows Autopatch reporting rather than trying to address NTFS separately. The correction is delivered through the applicable operating-system security update; there is no standalone NTFS switch that neutralizes the vulnerable code path.

Patch First Where Untrusted Files Meet Privileged Work​

Workstations used for email, web browsing, software testing, digital forensics, media production, and support operations deserve early attention because they process large volumes of untrusted content. Shared administrative workstations and jump boxes are particularly sensitive: code execution under an administrator’s active session can turn a user-assisted vulnerability into a much larger compromise.
File servers also warrant timely servicing even though the disclosed vector is local. Servers may mount virtual disks, process backup media, run indexing or security products, host interactive administrator sessions, or accept content that is later handled by privileged software. Server Core reduces some user-facing exposure but is still listed as affected.
Until updates are installed, organizations can reduce—not eliminate—risk by limiting unnecessary handling of unsolicited files, restricting removable storage, scanning inbound content, and keeping routine work out of privileged sessions. Those measures are generic defenses because Microsoft has not published enough technical detail to support a precise file-type block or configuration workaround.
Security teams should also avoid treating endpoint detection as a substitute for the fix. A heap-based overflow in a core filesystem component may produce crashes or unusual child processes, but reliable detection depends on the eventual exploit technique. Preventing vulnerable code from being reached is stronger than attempting to identify every possible payload after memory corruption has occurred.
The Confirmed confidence rating should ultimately drive confidence in the patch requirement, not panic about active attacks. CVE-2026-49797 was not a known zero-day on July 14, but its reach across Windows 10, Windows 11, and supported Windows Server generations makes July’s cumulative update the only dependable fleet-wide resolution.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top