Microsoft has patched CVE-2026-49790, a high-severity elevation-of-privilege vulnerability in the Windows Universal Disk Format File System driver, across supported Windows 10, Windows 11, and Windows Server releases. Administrators should deploy the July 14, 2026 cumulative security updates and confirm that endpoints have reached Microsoft’s fixed build levels.
Detailed in Microsoft’s Security Update Guide and published alongside the July 2026 Patch Tuesday releases, the vulnerability carries a CVSS 3.1 base score of 7.3. It is not described as an unauthenticated remote compromise, but successful exploitation could give an attacker broad control over confidentiality, integrity, and availability on the affected system.
The National Vulnerability Database lists the record as undergoing enrichment, meaning Microsoft’s initial assessment is available while NIST has not yet completed its independent scoring and platform mapping. Technical disclosure is limited, but Microsoft has identified both a heap-based buffer overflow and an integer-underflow condition in the UDFS implementation.
Microsoft’s CVSS vector is AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access, low privileges, low attack complexity, and interaction from another user.
That sharply distinguishes CVE-2026-49790 from a remotely reachable file-system bug that could be triggered simply by sending traffic to a Windows machine. An attacker must already have some access to the target environment and must place the vulnerable UDFS driver in a situation where it processes maliciously constructed data.
The user-interaction requirement suggests that an attacker may need to convince someone to mount, attach, or otherwise access crafted UDF content. Microsoft has not publicly documented a complete attack sequence, however, so administrators should not treat any specific disk-image, optical-disc, or removable-media scenario as confirmed until further technical guidance appears.
If exploitation succeeds, the CVSS impact fields indicate a potentially complete loss of confidentiality, integrity, and availability. That can translate into reading protected information, modifying system data, installing persistent malware, disabling security tools, or disrupting the machine, depending on the privileges ultimately obtained.
The scope field remains unchanged, meaning the vulnerable UDFS component and the compromised security authority remain within the same security boundary. That does not make the result harmless: local privilege escalation is routinely used as the second stage of an intrusion after phishing, credential theft, browser exploitation, or initial execution through a malicious attachment.
An integer underflow can occur when arithmetic produces a value below the range expected by the program. If the result wraps into a large positive value and is then used for memory allocation, indexing, or length validation, later operations may access memory outside the intended boundary.
A heap-based buffer overflow occurs when software writes beyond the allocated limits of an object stored in heap memory. In a file-system driver, malformed metadata, unexpected lengths, or inconsistent structure sizes can become especially dangerous because parsing occurs in a privileged Windows component rather than an isolated application.
Microsoft has not published proof-of-concept code, function names, or the precise UDF structure involved. There is consequently enough information to establish that this is a confirmed memory-corruption vulnerability, but not enough to reproduce the flaw or judge how reliably it can be converted into privilege escalation.
That distinction matters when interpreting vulnerability-confidence language. Confidence in the existence of the flaw is high because Microsoft has acknowledged it, assigned two specific weakness categories, identified affected versions, and shipped corrected builds. Confidence in the publicly known exploitation mechanics is lower because the root-cause details and trigger path remain undisclosed.
Defenders therefore have a well-supported reason to patch without having a detailed signature for the malicious input. Attackers, meanwhile, know the affected component and broad bug classes, but the public record does not currently hand them a ready-made exploitation recipe.
Microsoft’s corrected build thresholds include:
Windows Server 2012 and Windows Server 2012 R2 require particular attention because they are beyond normal support and receive updates only through applicable Extended Security Updates arrangements. Their presence in the affected list does not mean every installation automatically receives the July fix through ordinary Windows Update servicing.
Organizations should also verify that maintenance policies cover Server Core. The absence of the full desktop interface does not remove the affected file-system driver, and Microsoft explicitly identifies Server Core installations for several Windows Server generations.
Security teams can use application control, least-privilege policies, endpoint detection, and restrictions on mounting untrusted content to make exploitation harder. Monitoring should focus on unusual privilege transitions following access to newly introduced disk images, optical media, or removable volumes, while recognizing that Microsoft has not confirmed those as the exclusive vectors.
Administrators should deploy the July 14 cumulative updates through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch, or their normal patch-management platform. After installation and restart, they should compare the reported OS build with the fixed threshold for that Windows release rather than relying solely on a successful deployment status.
CVE-2026-49790 is not presently documented as a remotely exploitable, zero-click flaw, and the public technical details remain sparse. Its combination of low attack complexity, a privileged file-system component, memory corruption, and potentially total system impact nevertheless makes delayed patching an unnecessary risk—especially on shared workstations, multi-user servers, and systems that routinely process untrusted media.
Detailed in Microsoft’s Security Update Guide and published alongside the July 2026 Patch Tuesday releases, the vulnerability carries a CVSS 3.1 base score of 7.3. It is not described as an unauthenticated remote compromise, but successful exploitation could give an attacker broad control over confidentiality, integrity, and availability on the affected system.
The National Vulnerability Database lists the record as undergoing enrichment, meaning Microsoft’s initial assessment is available while NIST has not yet completed its independent scoring and platform mapping. Technical disclosure is limited, but Microsoft has identified both a heap-based buffer overflow and an integer-underflow condition in the UDFS implementation.
A Local Attack With a User-Interaction Requirement
Microsoft’s CVSS vector is AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access, low privileges, low attack complexity, and interaction from another user.That sharply distinguishes CVE-2026-49790 from a remotely reachable file-system bug that could be triggered simply by sending traffic to a Windows machine. An attacker must already have some access to the target environment and must place the vulnerable UDFS driver in a situation where it processes maliciously constructed data.
The user-interaction requirement suggests that an attacker may need to convince someone to mount, attach, or otherwise access crafted UDF content. Microsoft has not publicly documented a complete attack sequence, however, so administrators should not treat any specific disk-image, optical-disc, or removable-media scenario as confirmed until further technical guidance appears.
If exploitation succeeds, the CVSS impact fields indicate a potentially complete loss of confidentiality, integrity, and availability. That can translate into reading protected information, modifying system data, installing persistent malware, disabling security tools, or disrupting the machine, depending on the privileges ultimately obtained.
The scope field remains unchanged, meaning the vulnerable UDFS component and the compromised security authority remain within the same security boundary. That does not make the result harmless: local privilege escalation is routinely used as the second stage of an intrusion after phishing, credential theft, browser exploitation, or initial execution through a malicious attachment.
Two Memory-Safety Failures Sit Behind the Rating
Microsoft associates CVE-2026-49790 with CWE-122, a heap-based buffer overflow, and CWE-191, an integer underflow or wraparound. These classifications supply more useful technical context than the short advisory title alone.An integer underflow can occur when arithmetic produces a value below the range expected by the program. If the result wraps into a large positive value and is then used for memory allocation, indexing, or length validation, later operations may access memory outside the intended boundary.
A heap-based buffer overflow occurs when software writes beyond the allocated limits of an object stored in heap memory. In a file-system driver, malformed metadata, unexpected lengths, or inconsistent structure sizes can become especially dangerous because parsing occurs in a privileged Windows component rather than an isolated application.
Microsoft has not published proof-of-concept code, function names, or the precise UDF structure involved. There is consequently enough information to establish that this is a confirmed memory-corruption vulnerability, but not enough to reproduce the flaw or judge how reliably it can be converted into privilege escalation.
That distinction matters when interpreting vulnerability-confidence language. Confidence in the existence of the flaw is high because Microsoft has acknowledged it, assigned two specific weakness categories, identified affected versions, and shipped corrected builds. Confidence in the publicly known exploitation mechanics is lower because the root-cause details and trigger path remain undisclosed.
Defenders therefore have a well-supported reason to patch without having a detailed signature for the malicious input. Attackers, meanwhile, know the affected component and broad bug classes, but the public record does not currently hand them a ready-made exploitation recipe.
The Affected Range Spans Clients and Servers
The affected-product record covers Windows releases from older enterprise-maintained Windows 10 installations through Windows 11 26H1. It also includes Windows Server 2012 through Windows Server 2025, including listed Server Core variants.Microsoft’s corrected build thresholds include:
- Windows 10 version 1607 and Windows Server 2016 are fixed at build 14393.9339 or later.
- Windows 10 version 1809 and Windows Server 2019 are fixed at build 17763.9020 or later.
- Windows 10 versions 21H2 and 22H2 are fixed at builds 19044.7548 and 19045.7548 respectively.
- Windows 11 versions 24H2 and 25H2 are fixed at build 26100.8875 and 26200.8875 respectively.
- Windows 11 version 26H1 is fixed at build 28000.2525 or later.
- Windows Server 2022 is fixed at build 20348.5386 or later.
- Windows Server 2025 is fixed at build 26100.33158 or later.
- Windows Server 2012 and 2012 R2 are fixed at builds 9200.26226 and 9600.23291 respectively.
Windows Server 2012 and Windows Server 2012 R2 require particular attention because they are beyond normal support and receive updates only through applicable Extended Security Updates arrangements. Their presence in the affected list does not mean every installation automatically receives the July fix through ordinary Windows Update servicing.
Organizations should also verify that maintenance policies cover Server Core. The absence of the full desktop interface does not remove the affected file-system driver, and Microsoft explicitly identifies Server Core installations for several Windows Server generations.
Patch First, Then Watch the Disclosure Mature
Microsoft’s initial record does not provide a supported workaround or a configuration change that fully substitutes for installing the update. Restricting untrusted removable media and disk-image handling can reduce exposure to plausible delivery paths, but it should be treated as defense in depth rather than a complete mitigation.Security teams can use application control, least-privilege policies, endpoint detection, and restrictions on mounting untrusted content to make exploitation harder. Monitoring should focus on unusual privilege transitions following access to newly introduced disk images, optical media, or removable volumes, while recognizing that Microsoft has not confirmed those as the exclusive vectors.
Administrators should deploy the July 14 cumulative updates through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch, or their normal patch-management platform. After installation and restart, they should compare the reported OS build with the fixed threshold for that Windows release rather than relying solely on a successful deployment status.
CVE-2026-49790 is not presently documented as a remotely exploitable, zero-click flaw, and the public technical details remain sparse. Its combination of low attack complexity, a privileged file-system component, memory corruption, and potentially total system impact nevertheless makes delayed patching an unnecessary risk—especially on shared workstations, multi-user servers, and systems that routinely process untrusted media.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com