Microsoft has patched CVE-2026-50313, a high-severity heap-based buffer overflow in Windows NTFS that could let an unauthenticated attacker run code after a user interacts with malicious content. The fix arrived in the July 14, 2026 security updates for supported Windows 10, Windows 11, and Windows Server releases.
Detailed in Microsoft’s Security Update Guide, CVE-2026-50313 carries a CVSS 3.1 score of 7.8 and an Important severity rating. Microsoft had not identified public disclosure or active exploitation when the updates were released, according to the July Patch Tuesday data compiled by the Zero Day Initiative.
The patch should nevertheless receive prompt attention. NTFS is a foundational Windows component, the vulnerability affects client and server editions, and successful exploitation could compromise confidentiality, integrity, and availability.
Microsoft calls CVE-2026-50313 a “Windows NTFS Remote Code Execution Vulnerability,” but its CVSS vector identifies the attack path as local rather than network-based:
That distinction matters. This is not described as a wormable flaw that an attacker can trigger simply by sending packets to an exposed Windows service. Microsoft’s CVE record says the heap-based buffer overflow allows an unauthorized attacker to execute code locally, while the vector specifies that user interaction is required.
In practical terms, “remote code execution” describes the eventual security impact rather than a direct network attack vector. An attacker could originate the attack remotely—for example, by delivering hostile content through email, a download, messaging software, or another distribution channel—but would still need the target to perform an action that reaches the vulnerable NTFS code path.
Microsoft has not publicly documented the exact file, disk-image, or storage operation required to trigger CVE-2026-50313. Administrators should therefore avoid assuming that blocking one attachment extension or disabling one application fully mitigates the exposure. The available technical record establishes a memory-corruption flaw and a required user action, but not a complete attack recipe.
The vector also indicates low attack complexity and no prerequisite privileges. Once the attacker persuades a user to interact with the malicious content, exploitation is not expected to require an existing account on the machine.
Not every buffer overflow is reliably exploitable, and Microsoft has not published proof-of-concept code or detailed exploitation analysis for this flaw. The assigned impact metrics are still severe: successful exploitation may allow a complete loss of confidentiality, integrity, and availability.
That means an attacker could potentially read protected information, modify data, execute unwanted operations, or crash the affected system. The precise privileges gained would depend on the process and context in which the malformed NTFS content is handled, details Microsoft had not disclosed as of July 15.
The required user interaction lowers the score from the Critical range, but it does not make the issue harmless. Malicious-file attacks routinely rely on users opening downloads, attaching removable storage, mounting images, or browsing content delivered through trusted-looking channels. Security controls must stop both the initial delivery and the subsequent execution path.
CVE-2026-50313 also appeared amid an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities addressed during the month, including numerous NTFS remote-code-execution issues. The volume makes prioritization difficult, particularly for organizations that cannot immediately deploy every cumulative update across production systems.
For this specific CVE, the broad operating-system exposure and high impact justify treating it as a standard priority security deployment rather than waiting for reports of exploitation.
The fixed build thresholds disclosed in the CVE record include:
Windows 11 24H2 and 25H2 receive the fix through KB5101650, which advances the systems to builds 26100.8875 and 26200.8875. Microsoft temporarily withheld that cumulative update from a limited number of Dell devices with Intel processors because Dell reported a compatibility problem involving unexpected shutdowns, performance degradation, excess heat, and battery drain.
That safeguard creates a deployment wrinkle for affected Dell systems. If KB5101650 is not offered, administrators should not force the package onto those devices without checking Microsoft and Dell guidance; the update block is intended to prevent a separate stability problem while the companies prepare a resolution.
Windows 10 21H2 and 22H2 receive KB5099539, producing builds 19044.7548 and 19045.7548. Windows 10 1809 and Windows Server 2019 receive KB5099538, moving to build 17763.9020, while Windows Server 2022 receives KB5099540 and build 20348.5386.
Windows 10 22H2 reached the end of normal support on October 14, 2025. Machines still running that release need an eligible Extended Security Updates arrangement to receive the July 2026 protection; unsupported installations cannot be considered protected merely because a fixed build exists.
On individual systems,
A successful download is not proof that the machine is protected. Devices may remain pending restart, roll back during installation, encounter servicing-stack problems, or sit behind a safeguard hold such as the one affecting certain Dell models. Compliance reporting should therefore use the installed build and restart state, not merely update approval or download status.
Organizations should also review removable-media policies, attachment filtering, disk-image handling, and endpoint telemetry while updates are moving through staged deployment. Those controls are not substitutes for the patch, but they can reduce the chance that untrusted content reaches an NTFS parser on an unpatched endpoint.
There is currently no public evidence that CVE-2026-50313 was exploited before disclosure, and the Zero Day Initiative lists it as neither publicly disclosed nor attacked in the wild at release. That buys administrators testing time, not permission to defer indefinitely: the vulnerability is now documented, its affected build ranges are public, and attackers can begin comparing patched and unpatched Windows components.
The immediate objective is concrete: move supported Windows devices to their July 14, 2026 security builds, verify that the update completed after restart, and separately track Dell systems on which Microsoft has withheld KB5101650.
Detailed in Microsoft’s Security Update Guide, CVE-2026-50313 carries a CVSS 3.1 score of 7.8 and an Important severity rating. Microsoft had not identified public disclosure or active exploitation when the updates were released, according to the July Patch Tuesday data compiled by the Zero Day Initiative.
The patch should nevertheless receive prompt attention. NTFS is a foundational Windows component, the vulnerability affects client and server editions, and successful exploitation could compromise confidentiality, integrity, and availability.
The “Remote” Label Needs Qualification
Microsoft calls CVE-2026-50313 a “Windows NTFS Remote Code Execution Vulnerability,” but its CVSS vector identifies the attack path as local rather than network-based:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HThat distinction matters. This is not described as a wormable flaw that an attacker can trigger simply by sending packets to an exposed Windows service. Microsoft’s CVE record says the heap-based buffer overflow allows an unauthorized attacker to execute code locally, while the vector specifies that user interaction is required.
In practical terms, “remote code execution” describes the eventual security impact rather than a direct network attack vector. An attacker could originate the attack remotely—for example, by delivering hostile content through email, a download, messaging software, or another distribution channel—but would still need the target to perform an action that reaches the vulnerable NTFS code path.
Microsoft has not publicly documented the exact file, disk-image, or storage operation required to trigger CVE-2026-50313. Administrators should therefore avoid assuming that blocking one attachment extension or disabling one application fully mitigates the exposure. The available technical record establishes a memory-corruption flaw and a required user action, but not a complete attack recipe.
The vector also indicates low attack complexity and no prerequisite privileges. Once the attacker persuades a user to interact with the malicious content, exploitation is not expected to require an existing account on the machine.
A Heap Overflow With Full-System Consequences
Microsoft classifies the underlying weakness as CWE-122, a heap-based buffer overflow. This class of vulnerability occurs when software writes more data into a heap allocation than the destination can safely hold, potentially corrupting adjacent memory and altering program execution.Not every buffer overflow is reliably exploitable, and Microsoft has not published proof-of-concept code or detailed exploitation analysis for this flaw. The assigned impact metrics are still severe: successful exploitation may allow a complete loss of confidentiality, integrity, and availability.
That means an attacker could potentially read protected information, modify data, execute unwanted operations, or crash the affected system. The precise privileges gained would depend on the process and context in which the malformed NTFS content is handled, details Microsoft had not disclosed as of July 15.
The required user interaction lowers the score from the Critical range, but it does not make the issue harmless. Malicious-file attacks routinely rely on users opening downloads, attaching removable storage, mounting images, or browsing content delivered through trusted-looking channels. Security controls must stop both the initial delivery and the subsequent execution path.
CVE-2026-50313 also appeared amid an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities addressed during the month, including numerous NTFS remote-code-execution issues. The volume makes prioritization difficult, particularly for organizations that cannot immediately deploy every cumulative update across production systems.
For this specific CVE, the broad operating-system exposure and high impact justify treating it as a standard priority security deployment rather than waiting for reports of exploitation.
Windows 10 Through Windows 11 26H1 Are Affected
Microsoft’s affected-product data spans older servicing branches and current Windows releases. Vulnerable client versions include Windows 10 1607, 1809, 21H2, and 22H2, alongside Windows 11 24H2, 25H2, and 26H1.The fixed build thresholds disclosed in the CVE record include:
- Windows 10 version 1607 is protected at build 14393.9339 or later.
- Windows 10 version 1809 is protected at build 17763.9020 or later.
- Windows 10 version 21H2 is protected at build 19044.7548 or later.
- Windows 10 version 22H2 is protected at build 19045.7548 or later.
- Windows 11 version 24H2 is protected at build 26100.8875 or later.
- Windows 11 version 25H2 is protected at build 26200.8875 or later.
- Windows 11 version 26H1 is protected at build 28000.2269 or later.
Windows 11 24H2 and 25H2 receive the fix through KB5101650, which advances the systems to builds 26100.8875 and 26200.8875. Microsoft temporarily withheld that cumulative update from a limited number of Dell devices with Intel processors because Dell reported a compatibility problem involving unexpected shutdowns, performance degradation, excess heat, and battery drain.
That safeguard creates a deployment wrinkle for affected Dell systems. If KB5101650 is not offered, administrators should not force the package onto those devices without checking Microsoft and Dell guidance; the update block is intended to prevent a separate stability problem while the companies prepare a resolution.
Windows 10 21H2 and 22H2 receive KB5099539, producing builds 19044.7548 and 19045.7548. Windows 10 1809 and Windows Server 2019 receive KB5099538, moving to build 17763.9020, while Windows Server 2022 receives KB5099540 and build 20348.5386.
Windows 10 22H2 reached the end of normal support on October 14, 2025. Machines still running that release need an eligible Extended Security Updates arrangement to receive the July 2026 protection; unsupported installations cannot be considered protected merely because a fixed build exists.
Patch Verification Matters More Than the Download Result
Because Windows cumulative updates cover many vulnerabilities at once, administrators will not see a separate package named CVE-2026-50313. The practical verification point is the installed July 2026 cumulative update and its resulting OS build.On individual systems,
winver provides a quick build check. Administrators can also inspect Settings under Windows Update and Update history, query installed hotfix information through PowerShell, or use Microsoft Intune, Windows Update for Business reports, Configuration Manager, or another endpoint-management platform to confirm deployment at scale.A successful download is not proof that the machine is protected. Devices may remain pending restart, roll back during installation, encounter servicing-stack problems, or sit behind a safeguard hold such as the one affecting certain Dell models. Compliance reporting should therefore use the installed build and restart state, not merely update approval or download status.
Organizations should also review removable-media policies, attachment filtering, disk-image handling, and endpoint telemetry while updates are moving through staged deployment. Those controls are not substitutes for the patch, but they can reduce the chance that untrusted content reaches an NTFS parser on an unpatched endpoint.
There is currently no public evidence that CVE-2026-50313 was exploited before disclosure, and the Zero Day Initiative lists it as neither publicly disclosed nor attacked in the wild at release. That buys administrators testing time, not permission to defer indefinitely: the vulnerability is now documented, its affected build ranges are public, and attackers can begin comparing patched and unpatched Windows components.
The immediate objective is concrete: move supported Windows devices to their July 14, 2026 security builds, verify that the update completed after restart, and separately track Dell systems on which Microsoft has withheld KB5101650.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com