CVE-2026-50298: Patch Windows Spaceport.sys Privilege Flaw

CVE-2026-50298, an elevation-of-privilege vulnerability in the Windows Spaceport.sys storage driver, was patched in Microsoft’s July 14, 2026 security updates. The flaw affects supported Windows 11 and Windows Server releases, plus Windows 10 systems still receiving security servicing, and can give an attacker full control when physical access to a vulnerable machine is available.
Microsoft’s Security Response Center classifies the vulnerability as Important, while the Microsoft-supplied CVSS 3.1 score is 6.8. The National Vulnerability Database describes the underlying weakness as an integer overflow or wraparound in Spaceport.sys and identifies it as CWE-190.
The update should be treated as routine but necessary patching rather than an Internet-wide emergency. Microsoft’s vector requires physical access, but successful exploitation carries high confidentiality, integrity, and availability impacts.

Cybersecurity infographic shows Spaceport.sys, Storage Spaces, physical access threats, and a July 2026 security patch.Physical Access Keeps the Score Below Critical​

Microsoft’s CVSS vector for CVE-2026-50298 is CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attacker must be physically present, but exploitation has low complexity, requires no existing account or privileges, and needs no action from the logged-in user.
That combination explains the seemingly modest 6.8 score despite the potentially serious outcome. The physical attack requirement sharply reduces the pool of realistic attackers compared with a vulnerability reachable over a network or through an ordinary local process.
It does not make the issue harmless. A successful exploit could compromise the confidentiality, integrity, and availability of data governed by the affected Windows component. Microsoft has labeled the impact as elevation of privilege, meaning the flaw could help an unauthorized person cross a security boundary and obtain capabilities they should not possess.
The physical vector makes CVE-2026-50298 particularly relevant to organizations with machines outside tightly controlled offices. Shared workstations, kiosks, labs, classrooms, retail terminals, branch-office systems, and unattended servers are more exposed than desktops that remain inside secured facilities.
The vector also states that the scope is unchanged. Exploitation affects resources managed within the same security authority rather than automatically crossing into a separate security domain, but that distinction offers little comfort if the attacker gains high-impact access to the Windows installation itself.

Spaceport.sys Puts Storage Infrastructure in the Frame​

Spaceport.sys is associated with Windows Storage Spaces, Microsoft’s software-defined storage technology for combining physical drives into storage pools and presenting virtual disks to the operating system. As a Windows driver operating close to storage and kernel-level functionality, it occupies a more privileged position than an ordinary desktop application.
Microsoft’s description does not disclose the precise input, device, or sequence needed to trigger the integer overflow. An integer overflow occurs when a calculation produces a value outside the range that a program has allocated for it; the resulting wraparound can cause incorrect buffer sizing, bounds checking, or memory handling.
The public record therefore establishes the weakness class and impact without providing an exploit recipe. That is useful for defenders because it identifies the affected component, but it does not yet reveal whether exploitation depends on a removable disk, a specially prepared storage configuration, direct manipulation of existing drives, or another physical interaction.
The report-confidence language in Microsoft’s advisory indicates that the vulnerability has been confirmed rather than remaining a speculative defect. That does not mean exploit code is public. It means the vendor has sufficient confidence in the existence and technical basis of the vulnerability to issue a security update and assign a concrete severity vector.
SANS Internet Storm Center’s July 2026 Patch Tuesday listing reported neither public disclosure nor known exploitation for CVE-2026-50298 at release. The Zero Day Initiative also listed the Spaceport.sys flaw as not publicly disclosed and not exploited, although its initial Patch Tuesday table displayed a higher score than the 6.8 recorded by Microsoft and NIST. Administrators should use Microsoft’s vector as the authoritative score while recognizing that scoring discrepancies can appear in early third-party roundups.

The Affected Range Reaches Back to Server 2012​

The CVE record covers a broad set of client and server products. On the client side, Microsoft lists Windows 10 versions 1607, 1809, 21H2, and 22H2, along with Windows 11 versions 24H2, 25H2, and 26H1.
Windows Server 2012 and 2012 R2 are also listed, including Server Core installations. The affected range continues through Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
The fixed build thresholds published in the CVE record include:
  • Windows 10 versions 21H2 and 22H2 are fixed at builds 19044.7548 and 19045.7548.
  • Windows 11 versions 24H2 and 25H2 are fixed at build 26100.8875 and 26200.8875, respectively.
  • Windows 11 version 26H1 is fixed at build 28000.2269.
  • Windows Server 2022 is fixed at build 20348.5386.
  • Windows Server 2025 is fixed at build 26100.33158.
  • Windows Server 2019 is fixed at build 17763.9020, while Windows Server 2016 is fixed at build 14393.9339.
Windows 10 version 22H2 reached the end of standard support on October 14, 2025. Microsoft’s July update is therefore available to eligible systems through the Extended Security Updates program rather than as an unrestricted continuation of normal consumer support. Microsoft identifies KB5099539 as the July 14 cumulative update that advances Windows 10 22H2 to build 19045.7548 and Windows 10 Enterprise LTSC 2021 to build 19044.7548.
Organizations should not use the presence of Storage Spaces pools as their sole vulnerability test. The affected component ships across multiple Windows generations, and Microsoft’s product list is based on vulnerable operating-system builds rather than whether an administrator has deliberately created a storage pool.

Patch Deployment Is the Primary Control​

Microsoft has not documented a CVE-specific workaround in the public information available at release. Installing the July 2026 cumulative security update is consequently the direct remediation.
For managed estates, administrators should verify the resulting OS build rather than relying only on a successful status returned by an endpoint-management platform. Older Windows Server releases may follow different servicing or Extended Security Update channels, so the applicable package must match both the operating-system version and its support entitlement.
Physical controls remain a useful secondary defense. Restricting access to server rooms, locking workstation cases, controlling removable media, enabling BitLocker, enforcing Secure Boot, and preventing unauthorized boot-device changes can make physical attacks harder and limit what an attacker can obtain from a stolen or unattended machine. Those controls do not replace Microsoft’s code fix, particularly because the publicly disclosed description does not reveal the exact physical exploitation mechanism.
CVE-2026-50298 is not the kind of vulnerability that should force Internet-facing services offline while emergency testing takes place. It is instead a reminder that physical access remains a Windows security boundary, especially when a flaw sits inside a privileged storage driver. The practical milestone is straightforward: deploy the July 14, 2026 cumulative updates, confirm that every affected endpoint and server has reached its fixed build, and investigate any machine that cannot be brought into a supported servicing channel.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top