CVE-2026-49789: Install July Updates to Fix Windows NTFS EoP

CVE-2026-49789, a newly patched Windows NTFS elevation-of-privilege vulnerability, can let a low-privileged local attacker gain broader control of an affected PC or server by triggering a stack-based buffer overflow. Microsoft released the fix on July 14, 2026, through its monthly cumulative Windows security updates, covering supported Windows 10, Windows 11, and Windows Server installations.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw is rated Important with a CVSS 3.1 base score of 7.3. Microsoft says the vulnerability was not publicly disclosed or known to be exploited when the update shipped, and assesses exploitation as less likely.
That makes CVE-2026-49789 a patching priority rather than an emergency requiring network isolation. Its position inside NTFS, however, means administrators should not dismiss it as an obscure optional-component bug: the affected code belongs to Windows’ default file system and is present across client and server releases.

Cybersecurity dashboard showing NTFS protection, patch deployment, buffer overflow threat, and privilege escalation.The Attack Starts Locally but Can End With Full Control​

The National Vulnerability Database describes CVE-2026-49789 as a stack-based buffer overflow in Windows NTFS that allows an authorized attacker to elevate privileges locally. Microsoft maps the underlying weakness to CWE-121, the standard classification for data overrunning a stack-allocated buffer.
A successful stack overflow can corrupt nearby memory, including control information used by a running process. Microsoft has not published enough technical detail to identify the vulnerable NTFS operation, the exact execution context, or whether exploitation requires a specially prepared file, directory structure, disk image, or removable volume.
The CVSS vector provides several useful boundaries. CVE-2026-49789 requires local access, low privileges, low attack complexity, and interaction from another user. It is therefore not a vulnerability that an unauthenticated attacker can directly exploit across the internet simply because a Windows machine is online.
Those requirements do not make it harmless. Local elevation-of-privilege vulnerabilities are frequently valuable after an attacker has gained an initial foothold through phishing, stolen credentials, a malicious application, or a separate remote-code-execution flaw. The NTFS bug could then provide the step from a restricted account to a more powerful security context.
Microsoft’s scoring assigns high potential impact to confidentiality, integrity, and availability. In practical terms, a successful privilege escalation could allow an attacker to access protected information, modify system resources, disable defenses, establish persistence, or disrupt the machine, depending on the privileges ultimately obtained.
The CVSS vector does not establish that CVE-2026-49789 grants SYSTEM privileges specifically, and Microsoft’s public description does not identify the final privilege level. Administrators should avoid treating “elevation of privilege” as an automatic synonym for SYSTEM until Microsoft or independent researchers publish a technical analysis.

July’s Cumulative Updates Carry the NTFS Repair​

Microsoft is delivering the fix through the normal July 2026 cumulative security updates rather than a separate NTFS package. On current Windows 11 releases, the relevant update levels include KB5101650 for Windows 11 24H2 and 25H2, bringing those systems to OS Builds 26100.8875 and 26200.8875 respectively.
Windows 11 version 26H1 receives KB5101649, which advances the operating system to Build 28000.2525. Microsoft’s initial CVE data lists affected 26H1 builds below an earlier build threshold, but installing the latest July cumulative update remains the straightforward way to ensure the machine has all applicable security fixes.
Windows 10 systems still receiving updates are also covered. KB5099539 moves Windows 10 version 22H2 to Build 19045.7548 and version 21H2 to Build 19044.7548. For ordinary Windows 10 22H2 devices, continued security coverage now depends on eligibility and enrollment in Microsoft’s Extended Security Updates program; Enterprise LTSC and IoT Enterprise LTSC releases follow their own support schedules.
The affected-product data published through Microsoft and reproduced by the National Vulnerability Database includes:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected at builds below their July security-update levels.
  • Windows 11 versions 24H2, 25H2, and 26H1 are listed as affected.
  • Windows Server 2012 and Windows Server 2012 R2 are included for organizations receiving the applicable extended security updates.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected, including listed Server Core installations.
Windows Server 2022 is updated by KB5099540 to Build 20348.5386, while Windows Server 2025 reaches Build 26100.33158 through KB5099536. Windows Server 2019 receives KB5099538 and advances to Build 17763.9020; Windows Server 2016 reaches Build 14393.9339 with KB5099535.
Windows 11 23H2 does not appear in the initial affected-product record for CVE-2026-49789, even though it received its own July cumulative update, KB5099414, taking it to Build 22631.7376. That omission should not be interpreted as permission to skip July’s update, which addresses other security vulnerabilities and remains the supported servicing baseline for that release.

“Confirmed” Describes the Evidence, Not Active Exploitation​

The report-confidence language shown in Microsoft’s advisory is part of the CVSS temporal scoring system. A confirmed rating means the vendor or other reliable evidence has established that the vulnerability exists; it does not mean attackers have confirmed exploitation in the wild.
That distinction matters for CVE-2026-49789. Microsoft’s Important rating, confirmed technical status, and high potential impact describe a real vulnerability with an official fix. Separately, Microsoft’s exploitability assessment at publication said exploitation was less likely, with no public disclosure and no detected exploitation.
The Cybersecurity and Infrastructure Security Agency’s initial decision model similarly recorded no known exploitation and judged the vulnerability non-automatable, while assigning it the potential for total technical impact. The National Vulnerability Database was still undergoing enrichment on July 14, so additional platform mappings or technical references may appear after the initial publication.
User interaction is another important constraint. The CVSS vector explicitly includes UI:R, meaning exploitation depends on action by a person other than the attacker. Microsoft has not publicly explained what that action involves, so claims that a particular attachment type, USB device, virtual disk, or network share is required would be speculative at this stage.
For defenders, the absence of a public exploit reduces immediate pressure but does not remove the risk. Once patches are available, researchers and attackers can compare updated and unpatched NTFS binaries to locate the repaired code—a process commonly called patch diffing. The technical barrier may therefore change even if Microsoft’s original assessment remains unchanged on the advisory page.

Patch Testing Should Focus on Storage-Heavy Systems​

Workstations can receive the July cumulative update through Windows Update or an organization’s normal management service. Administrators using Windows Update for Business, Microsoft Intune, Windows Server Update Services, Configuration Manager, or third-party patch platforms should verify installation by checking the resulting OS build rather than relying only on an update deployment status.
File servers, Remote Desktop Session Hosts, virtual desktop infrastructure, build servers, and multi-user systems deserve particular attention because they expose local file-system operations to more accounts and applications. The vulnerability still requires an authenticated foothold, but shared systems provide more opportunities for a compromised low-privileged account to interact with privileged users or services.
Testing should cover storage filters, endpoint security agents, backup software, encryption products, disk-management utilities, and other tools that integrate closely with file-system activity. Microsoft’s July release notes also warn that some third-party Transport Driver Interface transports may stop working after updates released on or after July 14, 2026, making staged deployment and vendor validation especially important where legacy networking software remains installed.
Organizations that cannot deploy immediately should reduce opportunities for untrusted users to run code, attach storage, or persuade administrators to interact with attacker-controlled files. Those controls are only temporary risk reduction; Microsoft has not documented a registry-based workaround, Group Policy mitigation, or NTFS feature switch that substitutes for the security update.
The practical endpoint is clear: move affected machines to their July 14 cumulative-update build, verify that the update actually installed, and monitor Microsoft’s advisory for revisions. CVE-2026-49789 was not an exploited zero-day at publication, but its location in NTFS and its potential for high-impact privilege escalation make leaving supported Windows systems on June builds an unnecessary gamble.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top