CVE-2026-50388 is a high-severity Windows NTFS code-execution vulnerability fixed in Microsoft’s July 14, 2026 security updates, affecting supported Windows 10, Windows 11, and Windows Server releases. Although Microsoft’s advisory calls it a Windows NTFS Remote Code Execution Vulnerability, its CVSS data describes a local attack requiring user interaction rather than an unauthenticated network exploit.
Detailed in Microsoft’s Security Update Guide and subsequently recorded by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 7.8. Administrators should deploy the July cumulative updates because successful exploitation could compromise confidentiality, integrity, and availability on an affected machine.
The vulnerability is marked confirmed, but that classification should not be confused with active exploitation. Report confidence describes Microsoft’s certainty that the defect exists and that the technical finding is credible; it does not say attackers are already using it in the wild.
Microsoft describes CVE-2026-50388 as an out-of-bounds read in Windows NTFS that can allow an unauthorized attacker to execute code locally. The associated weaknesses are CWE-125, an out-of-bounds read, and CWE-191, an integer underflow or wraparound condition.
The CVSS vector is
The combination matters. This is not described as a flaw that an Internet attacker can trigger merely by reaching an exposed SMB port or sending a packet to a Windows host. The attacker must instead get malicious input into a context where the targeted system processes it, and a user must take some action.
Microsoft has not publicly documented the complete triggering sequence in enough detail to establish whether the likely delivery mechanism is a crafted file, disk image, removable drive, virtual disk, archive workflow, or another route into the NTFS parser. The CVSS characteristics nevertheless indicate that the victim does not need administrative privileges and that successful exploitation could result in code execution with serious system consequences.
The term remote code execution therefore describes the eventual security impact more than a purely network-based delivery method. An attacker could deliver malicious content remotely through email, a download, a shared location, or another channel, but exploitation occurs locally when Windows processes that content with the required user involvement.
That distinction should prevent two opposite triage errors. Organizations should not treat CVE-2026-50388 like a wormable, pre-authentication server vulnerability, but they also should not dismiss it because its formal attack vector is local.
In this case, Microsoft is both the assigning CVE authority and the vendor responsible for NTFS, so its acknowledgement provides strong confidence that the issue is real. The classification also implies that attackers may eventually have enough information to investigate the vulnerable code path, particularly once security updates can be compared against older Windows binaries.
It does not establish that proof-of-concept exploit code is public. It also does not establish that Microsoft has observed attacks.
CISA’s initial SSVC information, reflected in the NVD change history on July 15, lists exploitation as “none” and describes the vulnerability as not automatable. The technical impact is classified as total, which aligns with the CVSS assessment that a successful attack could fully affect confidentiality, integrity, and availability.
For defenders, that produces a familiar Patch Tuesday profile: no current evidence of exploitation, but potentially severe consequences if exploitation is achieved. The practical response is prompt cumulative-update deployment rather than emergency Internet isolation or speculative NTFS configuration changes.
Affected client releases include Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows 11 versions 24H2, 25H2, and 26H1. Some of those Windows 10 branches receive updates only through specialized servicing or Extended Security Updates, so their appearance does not restore general consumer support.
The server list includes Windows Server 2012 and 2012 R2, including Server Core installations, plus Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core does not avoid exposure because NTFS remains part of the operating system even without the full desktop interface.
For current Windows 11 deployments, the July fix arrives in these cumulative-update baselines:
Because Windows quality updates are cumulative, administrators do not need a separate NTFS hotfix if they install the applicable July 2026 cumulative update or a later superseding package. Vulnerability scanners should evaluate the installed OS build and servicing state rather than searching only for a standalone CVE-specific package.
Until patching is complete, organizations can reduce exposure by applying normal controls around untrusted files and storage media. Email attachment filtering, browser download reputation, endpoint protection, restrictions on removable media, and controls governing disk-image mounting may all reduce opportunities for user-assisted exploitation, although none should be represented as a complete mitigation without Microsoft confirming the trigger.
Server administrators should pay particular attention to systems where users, applications, or automation ingest externally supplied files. File servers, virtual-machine management hosts, backup systems, build infrastructure, security-analysis workstations, and remote desktop session hosts can encounter untrusted storage content even when they are not directly exposed to the Internet.
The required user interaction lowers the immediate likelihood of mass automated compromise, but it also puts the flaw within reach of phishing and social-engineering operations. A convincing attachment or downloaded artifact can be enough to turn a local parser vulnerability into a remotely initiated intrusion.
CVE-2026-50388 should consequently enter normal accelerated patching queues, with higher priority for endpoints and servers that routinely handle files from outside the trust boundary. The concrete milestone is the installed build: systems remaining below Microsoft’s fixed July 2026 baselines should still be considered exposed, regardless of whether antivirus software reports a current exploit campaign.
Detailed in Microsoft’s Security Update Guide and subsequently recorded by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 7.8. Administrators should deploy the July cumulative updates because successful exploitation could compromise confidentiality, integrity, and availability on an affected machine.
The vulnerability is marked confirmed, but that classification should not be confused with active exploitation. Report confidence describes Microsoft’s certainty that the defect exists and that the technical finding is credible; it does not say attackers are already using it in the wild.
The RCE Label Needs Its CVSS Context
Microsoft describes CVE-2026-50388 as an out-of-bounds read in Windows NTFS that can allow an unauthorized attacker to execute code locally. The associated weaknesses are CWE-125, an out-of-bounds read, and CWE-191, an integer underflow or wraparound condition.The CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That translates into a local attack vector, low attack complexity, no privileges required, required user interaction, unchanged scope, and high potential impact across confidentiality, integrity, and availability.The combination matters. This is not described as a flaw that an Internet attacker can trigger merely by reaching an exposed SMB port or sending a packet to a Windows host. The attacker must instead get malicious input into a context where the targeted system processes it, and a user must take some action.
Microsoft has not publicly documented the complete triggering sequence in enough detail to establish whether the likely delivery mechanism is a crafted file, disk image, removable drive, virtual disk, archive workflow, or another route into the NTFS parser. The CVSS characteristics nevertheless indicate that the victim does not need administrative privileges and that successful exploitation could result in code execution with serious system consequences.
The term remote code execution therefore describes the eventual security impact more than a purely network-based delivery method. An attacker could deliver malicious content remotely through email, a download, a shared location, or another channel, but exploitation occurs locally when Windows processes that content with the required user involvement.
That distinction should prevent two opposite triage errors. Organizations should not treat CVE-2026-50388 like a wormable, pre-authentication server vulnerability, but they also should not dismiss it because its formal attack vector is local.
Confirmed Does Not Mean Exploited
The report-confidence field supplied with the vulnerability is set to confirmed. Under CVSS terminology, that means detailed reports exist, functional reproduction may be possible, or the vendor has confirmed the vulnerable behavior.In this case, Microsoft is both the assigning CVE authority and the vendor responsible for NTFS, so its acknowledgement provides strong confidence that the issue is real. The classification also implies that attackers may eventually have enough information to investigate the vulnerable code path, particularly once security updates can be compared against older Windows binaries.
It does not establish that proof-of-concept exploit code is public. It also does not establish that Microsoft has observed attacks.
CISA’s initial SSVC information, reflected in the NVD change history on July 15, lists exploitation as “none” and describes the vulnerability as not automatable. The technical impact is classified as total, which aligns with the CVSS assessment that a successful attack could fully affect confidentiality, integrity, and availability.
For defenders, that produces a familiar Patch Tuesday profile: no current evidence of exploitation, but potentially severe consequences if exploitation is achieved. The practical response is prompt cumulative-update deployment rather than emergency Internet isolation or speculative NTFS configuration changes.
Nearly Every Serviced Windows Generation Is in Scope
Microsoft’s affected-product data spans client and server editions across several Windows generations. That breadth is unsurprising for a flaw in NTFS, a foundational filesystem component used throughout the Windows estate.Affected client releases include Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows 11 versions 24H2, 25H2, and 26H1. Some of those Windows 10 branches receive updates only through specialized servicing or Extended Security Updates, so their appearance does not restore general consumer support.
The server list includes Windows Server 2012 and 2012 R2, including Server Core installations, plus Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core does not avoid exposure because NTFS remains part of the operating system even without the full desktop interface.
For current Windows 11 deployments, the July fix arrives in these cumulative-update baselines:
- Windows 11 24H2 is protected at OS Build 26100.8875 or later.
- Windows 11 25H2 is protected at OS Build 26200.8875 or later.
- Windows 11 26H1 is protected by a build later than the affected 28000.2269 threshold; Microsoft’s July release advances it to OS Build 28000.2525.
- Windows 10 22H2 reaches OS Build 19045.7548 through its applicable July servicing channel.
Because Windows quality updates are cumulative, administrators do not need a separate NTFS hotfix if they install the applicable July 2026 cumulative update or a later superseding package. Vulnerability scanners should evaluate the installed OS build and servicing state rather than searching only for a standalone CVE-specific package.
File Handling Controls Are Only a Temporary Backstop
Microsoft has not published a dedicated workaround for CVE-2026-50388. There is no documented registry switch, Group Policy setting, or service that safely disables only the vulnerable NTFS behavior while preserving ordinary Windows storage functions.Until patching is complete, organizations can reduce exposure by applying normal controls around untrusted files and storage media. Email attachment filtering, browser download reputation, endpoint protection, restrictions on removable media, and controls governing disk-image mounting may all reduce opportunities for user-assisted exploitation, although none should be represented as a complete mitigation without Microsoft confirming the trigger.
Server administrators should pay particular attention to systems where users, applications, or automation ingest externally supplied files. File servers, virtual-machine management hosts, backup systems, build infrastructure, security-analysis workstations, and remote desktop session hosts can encounter untrusted storage content even when they are not directly exposed to the Internet.
The required user interaction lowers the immediate likelihood of mass automated compromise, but it also puts the flaw within reach of phishing and social-engineering operations. A convincing attachment or downloaded artifact can be enough to turn a local parser vulnerability into a remotely initiated intrusion.
CVE-2026-50388 should consequently enter normal accelerated patching queues, with higher priority for endpoints and servers that routinely handle files from outside the trust boundary. The concrete milestone is the installed build: systems remaining below Microsoft’s fixed July 2026 baselines should still be considered exposed, regardless of whether antivirus software reports a current exploit campaign.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com