CVE-2026-50381: Install July Updates to Fix Windows CimFS Data Leak

CVE-2026-50381 exposes sensitive information through Windows’ Composite Image File System driver, cimfs.sys, and is fixed by Microsoft’s July 14, 2026 cumulative security updates. The flaw requires local access and valid credentials, but successful exploitation can disclose information that the attacker would not normally be permitted to read.
Microsoft classifies the vulnerability as an information-disclosure issue caused by type confusion, while the National Vulnerability Database lists it as CWE-843, “Access of Resource Using Incompatible Type.” The Microsoft-issued CVSS 3.1 score is 5.5, placing it in the Medium severity range.
That score should not be mistaken for irrelevance. CVE-2026-50381 crosses several supported Windows client and server releases, including Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, Windows Server 2022, and Windows Server 2025. It also affects Windows 10 systems still receiving updates through Enterprise LTSC, IoT Enterprise LTSC, or the Extended Security Updates program.

Cybersecurity illustration showing a filesystem driver vulnerability, warning, and July 2026 security patch.The Attack Starts Locally but Ends With High Confidentiality Impact​

Microsoft’s CVSS vector for CVE-2026-50381 is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, an attacker must already be able to run code locally under a low-privilege account, but exploitation is considered to have low complexity and requires no additional user interaction.
The vulnerability does not directly let an anonymous internet attacker compromise an unpatched PC. It also is not described as enabling code execution, privilege escalation, data modification, or denial of service. Its documented effect is confined to confidentiality, though Microsoft assigns that dimension a High impact rating.
That distinction matters in enterprise risk assessments. An information leak can provide credentials, memory contents, system data, or other material that supports a later stage of an intrusion, even when the disclosure bug cannot itself take control of the machine. Microsoft has not publicly detailed exactly what information cimfs.sys may expose, the triggering operation, or whether the disclosed data is predictable.
The vulnerability requires no victim to open a file, click a prompt, or interact with an attacker-controlled window. Once an authorized attacker has local execution, the flaw can reportedly be triggered without user involvement.
Microsoft’s initial disclosure does not provide proof-of-concept code or deep technical analysis. The NVD entry, published on July 14, was still marked “Awaiting Enrichment” shortly after release, so public understanding is presently limited to Microsoft’s description, affected-version data, CWE classification, and severity vector.

CimFS Sits Beneath Windows’ Container and Image Workflows​

The Composite Image File System is a Windows component used to represent and access composite filesystem images. Rather than treating every software image as one large, independently duplicated block of data, CimFS can support image layouts composed from reusable regions and metadata.
That makes cimfs.sys a kernel-mode filesystem driver rather than an ordinary user application. The location raises the value of any unintended disclosure because kernel components process system-level objects and memory that unprivileged software should not be able to inspect directly.
Type confusion occurs when code accesses an object or resource as though it were a different, incompatible type. Depending on the affected data structure and memory state, the program may interpret unrelated memory as valid fields, return unintended contents, or follow references that were never meant for the requested operation.
Microsoft has not said whether CVE-2026-50381 involves a malformed CimFS image, an input/output control request, an object-lifetime error, or another route into the driver. Administrators should therefore avoid building detection or mitigation plans around a presumed exploit mechanism that Microsoft has not confirmed.
The broad Windows version list also indicates that the vulnerable code is not confined to one recent feature release. Systems do not need to be actively running containers for administrators to assume they are safe; Microsoft’s affected-product declaration, rather than observed use of CimFS by a particular workload, should guide patch decisions.

The Fixed Builds Define the Patch Boundary​

Microsoft’s CVE record identifies the following releases and vulnerable build ranges:
  • Windows 10 version 21H2 is affected before build 19044.7548.
  • Windows 10 version 22H2 is affected before build 19045.7548.
  • Windows 11 version 24H2 is affected before build 26100.8875.
  • Windows 11 version 25H2 is affected before build 26200.8875.
  • Windows 11 version 26H1 is affected before build 28000.2269.
  • Windows Server 2022 is affected before build 20348.5386.
  • Windows Server 2025, including Server Core, is affected before build 26100.33158.
For Windows 11 24H2 and 25H2, the July cumulative update is KB5101650, bringing devices to builds 26100.8875 and 26200.8875 respectively. Windows 11 26H1 receives KB5101649 and moves to build 28000.2525, which supersedes the affected boundary listed in the CVE record.
Windows Server 2022 receives KB5099540, producing build 20348.5386. Windows Server 2025 and its Server Core installation option receive KB5099536, bringing the operating system to build 26100.33158.
Eligible Windows 10 21H2 and 22H2 installations receive KB5099539, advancing to builds 19044.7548 and 19045.7548. Consumer Windows 10 22H2 reached the end of free support on October 14, 2025, so organizations relying on that release must have applicable ESU coverage or use a supported LTSC edition to receive the July 2026 correction.
Administrators should verify the resulting OS build rather than checking only whether a July update appears in installation history. Devices that failed installation, rolled back during restart, or remain pinned to an earlier cumulative update can continue to expose the vulnerable driver.

Medium Severity Still Belongs in the July Deployment​

CVE-2026-50381 does not warrant the same emergency response as an unauthenticated remote-code-execution flaw. Its local attack vector and low-privilege prerequisite give defenders an opportunity to contain exposure through account controls, application allowlisting, endpoint detection, and restrictions on interactive server access.
Those controls are compensating measures, not a replacement for the update. The low attack-complexity rating means that once an attacker gains a foothold, Microsoft does not expect exploitation to depend on unusually fragile timing or highly specialized environmental conditions.
Server fleets deserve particular attention because both Windows Server 2022 and Windows Server 2025 are affected, including Server Core. Organizations commonly grant local execution indirectly through application services, management agents, scheduled workloads, developer tooling, or compromised service accounts, even when interactive logon is tightly restricted.
There is no vendor-documented workaround in the currently available public information that offers protection equivalent to updating cimfs.sys. Disabling container-related workloads or attempting to remove the driver could also break supported Windows functionality without demonstrating that every attack path has been closed.
The practical response is therefore straightforward: deploy the July 14 cumulative update through Windows Update, Windows Update for Business, Microsoft Configuration Manager, WSUS, or the Microsoft Update Catalog; confirm the fixed build; and investigate any endpoint that cannot be brought across the stated version boundary. Until Microsoft publishes fuller technical details or revises the advisory, the corrected Windows build is the only dependable dividing line between affected and patched systems.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top