Microsoft has patched CVE-2026-49184, an Important-rated Windows NTFS remote code execution vulnerability affecting supported Windows client and server releases. The flaw carries a CVSS 3.1 base score of 8.4 and can compromise confidentiality, integrity, and availability without requiring privileges or user interaction.
Published by the Microsoft Security Response Center on July 14, 2026, CVE-2026-49184 is included in this month’s cumulative Windows security updates. Microsoft says the vulnerability was neither publicly disclosed nor exploited when the patches shipped, and assesses future exploitation as “less likely.”
The headline deserves careful reading, however. Despite Microsoft naming it a remote code execution vulnerability, the technical record describes a local attack vector, not an unauthenticated network attack against an exposed Windows service.
CVE-2026-49184 is a heap-based buffer overflow, classified as CWE-122, in the Windows NTFS implementation. NTFS is the default file system used for Windows system volumes and most internal drives, placing its parsing code deep within the operating system’s trusted storage stack.
According to the CVE record submitted by Microsoft and published through the National Vulnerability Database, an unauthorized attacker can exploit the flaw to execute code locally. The CVSS vector is
A successful exploit could therefore allow arbitrary code execution with a severe impact on the affected system. Microsoft assigns high ratings to all three impact categories: an attacker could potentially read protected information, alter data or system state, and disrupt availability.
What Microsoft has not publicly documented is the precise NTFS object or operation that triggers the overflow. The advisory does not identify a malformed file, disk image, reparse point, metadata structure, or removable volume as the delivery mechanism. Administrators should avoid assuming a specific exploitation route until Microsoft or the vulnerability’s discoverer publishes additional technical analysis.
The supplied report-confidence metric is marked confirmed. In CVSS terminology, that means the vendor has acknowledged the vulnerability or that sufficiently detailed information exists to reproduce and verify it. It does not mean exploit code is public, nor does it establish that attacks have occurred.
In Microsoft vulnerability terminology, remote code execution describes the result: attacker-controlled code runs in the vulnerable environment. It does not necessarily mean an attacker can send one packet across the internet and compromise an unprotected PC. The CVSS attack-vector field is the more useful indicator when determining required proximity.
For CVE-2026-49184,
This distinction matters for prioritization. CVE-2026-49184 is not scored like an internet-facing SMB vulnerability with
It may be especially relevant to multiuser systems, virtual desktop infrastructure, build machines, file-processing services, and servers where untrusted users or applications can introduce content onto NTFS volumes. Until the trigger is documented, restricting exposure to untrusted disk images and removable media is sensible hygiene, but it is not a substitute for installing the update.
The patched build thresholds include:
For mainstream Windows 11 deployments, CVE-2026-49184 is corrected through KB5101650. That cumulative update advances Windows 11 25H2 to build 26200.8875 and Windows 11 24H2 to build 26100.8875. Windows 11 23H2 receives the July security fixes through KB5099414, although that release does not appear in the CVE’s published affected-product record.
The July package is a normal mandatory security cumulative update, so organizations do not need to locate a standalone NTFS hotfix. Existing Windows Update for Business, Windows Server Update Services, Microsoft Intune, and Configuration Manager deployment rings can deliver the correction alongside the month’s other Windows fixes.
The volume creates a practical problem for security teams: a vulnerability can disappear into scanner exports even when its characteristics warrant attention. CVE-2026-49184 is not one of July’s known exploited zero-days, and Microsoft did not rate it Critical, but an 8.4 score with no privileges or user interaction should keep it above routine information-disclosure and denial-of-service findings.
Microsoft also shipped fixes for numerous other NTFS vulnerabilities in the same release, including several additional code execution issues. That concentration suggests administrators should deploy the cumulative operating-system update rather than attempting to prioritize or mitigate individual NTFS CVEs separately.
There are no published workarounds or mitigations specific to CVE-2026-49184. Disabling SMB, applying email attachment controls, or blocking a particular file extension cannot be considered complete defenses because Microsoft has not disclosed the triggering input or access path.
Administrators should validate that endpoints reached the appropriate July 2026 build, confirm server reboots where required, and investigate devices that remain below the fixed thresholds. Vulnerability scanners should key on the installed Windows build or applicable KB rather than relying solely on Microsoft’s “remote” title.
The immediate action is straightforward: install the July 14 cumulative Windows security update and verify the resulting build. The unresolved issue is technical rather than operational—until more details emerge, defenders know that NTFS contains a confirmed, low-complexity heap overflow capable of code execution, but not exactly what attacker-controlled object reaches it.
Published by the Microsoft Security Response Center on July 14, 2026, CVE-2026-49184 is included in this month’s cumulative Windows security updates. Microsoft says the vulnerability was neither publicly disclosed nor exploited when the patches shipped, and assesses future exploitation as “less likely.”
The headline deserves careful reading, however. Despite Microsoft naming it a remote code execution vulnerability, the technical record describes a local attack vector, not an unauthenticated network attack against an exposed Windows service.
A Heap Overflow at the File-System Boundary
CVE-2026-49184 is a heap-based buffer overflow, classified as CWE-122, in the Windows NTFS implementation. NTFS is the default file system used for Windows system volumes and most internal drives, placing its parsing code deep within the operating system’s trusted storage stack.According to the CVE record submitted by Microsoft and published through the National Vulnerability Database, an unauthorized attacker can exploit the flaw to execute code locally. The CVSS vector is
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which translates to a low-complexity local attack requiring neither existing privileges nor interaction from another user.A successful exploit could therefore allow arbitrary code execution with a severe impact on the affected system. Microsoft assigns high ratings to all three impact categories: an attacker could potentially read protected information, alter data or system state, and disrupt availability.
What Microsoft has not publicly documented is the precise NTFS object or operation that triggers the overflow. The advisory does not identify a malformed file, disk image, reparse point, metadata structure, or removable volume as the delivery mechanism. Administrators should avoid assuming a specific exploitation route until Microsoft or the vulnerability’s discoverer publishes additional technical analysis.
The supplied report-confidence metric is marked confirmed. In CVSS terminology, that means the vendor has acknowledged the vulnerability or that sufficiently detailed information exists to reproduce and verify it. It does not mean exploit code is public, nor does it establish that attacks have occurred.
“Remote Code Execution” Does Not Mean Network-Exposed
Microsoft’s title and its CVSS vector appear contradictory at first glance. The company categorizes the impact as remote code execution, while the vector explicitly says exploitation is local.In Microsoft vulnerability terminology, remote code execution describes the result: attacker-controlled code runs in the vulnerable environment. It does not necessarily mean an attacker can send one packet across the internet and compromise an unprotected PC. The CVSS attack-vector field is the more useful indicator when determining required proximity.
For CVE-2026-49184,
AV:L means the vulnerable component must be accessed through a local path. That could still involve attacker-supplied content delivered remotely before being processed on the target, but Microsoft has not published enough detail to confirm that scenario. The absence of a user-interaction requirement also means administrators should not automatically treat the vulnerability as a conventional “convince someone to open a file” issue.This distinction matters for prioritization. CVE-2026-49184 is not scored like an internet-facing SMB vulnerability with
AV:N, but its combination of no required privileges, low attack complexity, and high system impact makes it more serious than an ordinary post-compromise privilege-escalation bug.It may be especially relevant to multiuser systems, virtual desktop infrastructure, build machines, file-processing services, and servers where untrusted users or applications can introduce content onto NTFS volumes. Until the trigger is documented, restricting exposure to untrusted disk images and removable media is sensible hygiene, but it is not a substitute for installing the update.
The Affected Range Reaches Deep Into Windows Server
Microsoft’s affected-product data covers current Windows 11 releases, Extended Security Updates-era Windows 10 installations, and supported Windows Server generations. Both x64 and Arm64 Windows 11 systems are affected where those architectures are available.The patched build thresholds include:
- Windows 11 24H2 must be updated to build 26100.8875 or later.
- Windows 11 25H2 must be updated to build 26200.8875 or later.
- Windows 11 26H1 must be updated to build 28000.2269 or later.
- Windows 10 21H2 must be updated to build 19044.7548 or later.
- Windows 10 22H2 must be updated to build 19045.7548 or later.
- Windows Server 2022 must be updated to build 20348.5386 or later.
- Windows Server 2025 must be updated to build 26100.33158 or later.
For mainstream Windows 11 deployments, CVE-2026-49184 is corrected through KB5101650. That cumulative update advances Windows 11 25H2 to build 26200.8875 and Windows 11 24H2 to build 26100.8875. Windows 11 23H2 receives the July security fixes through KB5099414, although that release does not appear in the CVE’s published affected-product record.
The July package is a normal mandatory security cumulative update, so organizations do not need to locate a standalone NTFS hotfix. Existing Windows Update for Business, Windows Server Update Services, Microsoft Intune, and Configuration Manager deployment rings can deliver the correction alongside the month’s other Windows fixes.
Patch Tuesday Scale Should Not Hide the NTFS Risk
CVE-2026-49184 arrived during an unusually large July 2026 Patch Tuesday. BleepingComputer counted 570 newly addressed Microsoft vulnerabilities, including 145 remote code execution flaws, while the SANS Internet Storm Center used a broader count that included additional Microsoft updates. The differing totals reflect counting methodology rather than a dispute over this NTFS flaw.The volume creates a practical problem for security teams: a vulnerability can disappear into scanner exports even when its characteristics warrant attention. CVE-2026-49184 is not one of July’s known exploited zero-days, and Microsoft did not rate it Critical, but an 8.4 score with no privileges or user interaction should keep it above routine information-disclosure and denial-of-service findings.
Microsoft also shipped fixes for numerous other NTFS vulnerabilities in the same release, including several additional code execution issues. That concentration suggests administrators should deploy the cumulative operating-system update rather than attempting to prioritize or mitigate individual NTFS CVEs separately.
There are no published workarounds or mitigations specific to CVE-2026-49184. Disabling SMB, applying email attachment controls, or blocking a particular file extension cannot be considered complete defenses because Microsoft has not disclosed the triggering input or access path.
Administrators should validate that endpoints reached the appropriate July 2026 build, confirm server reboots where required, and investigate devices that remain below the fixed thresholds. Vulnerability scanners should key on the installed Windows build or applicable KB rather than relying solely on Microsoft’s “remote” title.
The immediate action is straightforward: install the July 14 cumulative Windows security update and verify the resulting build. The unresolved issue is technical rather than operational—until more details emerge, defenders know that NTFS contains a confirmed, low-complexity heap overflow capable of code execution, but not exactly what attacker-controlled object reaches it.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com