CVE-2026-50341 NTFS Leak Fixed in Windows July Updates

Microsoft fixed CVE-2026-50341, a Windows NTFS information-disclosure vulnerability that can let a locally authenticated attacker expose sensitive data through a buffer over-read. The flaw affects supported Windows client and server releases, including Windows 11 24H2 and 25H2, Windows Server 2022 and 2025, and Windows 10 systems receiving Extended Security Updates.
Published by the Microsoft Security Response Center on July 14, 2026, CVE-2026-50341 carries a CVSS 3.1 base score of 5.5 and a Medium rating in the CVE record. Microsoft nevertheless classifies the issue as Important in its Windows security-update ecosystem, reflecting the potentially high confidentiality impact even though exploitation requires local access and existing privileges.
The fix is included in Microsoft's July 2026 cumulative security updates. For current Windows 11 deployments, that means installing KB5101650 and reaching OS build 26100.8875 on Windows 11 24H2 or 26200.8875 on Windows 11 25H2.

Cybersecurity illustration showing a Windows update, NTFS volume, server, and buffer over-read warning.A Local Bug With a High Confidentiality Cost​

Microsoft describes CVE-2026-50341 as a buffer over-read in Windows NTFS. This type of memory-safety error occurs when software reads beyond the intended boundary of a buffer, potentially returning adjacent memory that the requesting process should not receive.
The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, the attacker must already be able to run code locally with low-level privileges, but exploitation is assessed as low complexity and requires no additional action from another user.
A successful attack does not directly modify files, elevate privileges, or disrupt the system. Its stated impact is limited to confidentiality, although Microsoft rates that confidentiality loss as High. Information exposed through the over-read could potentially help an attacker understand system state or obtain data useful during another stage of an intrusion.
That makes CVE-2026-50341 more relevant as a component of an attack chain than as a standalone entry point. An attacker would first need access to the machine, perhaps through compromised credentials, malicious software, or a separate remote-code-execution vulnerability. The NTFS flaw could then provide information that assists further exploitation or data discovery.
The vulnerability is mapped to CWE-126, the Common Weakness Enumeration entry for buffer over-read. Microsoft has not published enough technical detail to identify the exact NTFS operation involved, the type of memory that can be returned, or whether exploitation requires a specially constructed file system, file, volume, or system call.

“Confirmed” Does Not Mean Exploited​

The report-confidence language attached to the advisory can be easy to misread. The Confirmed rating means Microsoft has validated the vulnerability and the credibility of its technical details. It does not mean attacks have been confirmed in the wild.
Microsoft's CVSS temporal data marks exploit-code maturity as unproven, while the vulnerability was not among the three zero-days highlighted in reporting on the July 2026 Patch Tuesday release. BleepingComputer reported that the month's zero-day group consisted of two actively exploited vulnerabilities and one publicly disclosed vulnerability; CVE-2026-50341 was not included in that group.
There is therefore no public indication, as of July 15, that CVE-2026-50341 is being actively exploited or that functional proof-of-concept code is available. That status can change, particularly after patches give researchers and attackers an opportunity to compare vulnerable and corrected binaries.
The distinction matters for patch prioritization. CVE-2026-50341 does not carry the urgency of an unauthenticated network vulnerability or a confirmed zero-day, but its low attack complexity and broad Windows exposure argue against leaving it unpatched for an extended period.
Microsoft has also supplied an official remediation, while report confidence is confirmed. Those temporal metrics lower uncertainty: administrators are not evaluating a speculative weakness, and the supported mitigation is to install the appropriate cumulative update rather than attempt an undocumented NTFS workaround.

The Affected Windows Footprint Is Broad​

The CVE record identifies affected builds across multiple Windows generations. Client exposure includes Windows 10 versions 1607, 1809, 21H2, and 22H2, along with Windows 11 versions 24H2, 25H2, and 26H1. Whether a particular Windows 10 edition receives the fix depends on its servicing or ESU status.
Affected server platforms include Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are also listed where applicable, reinforcing that the vulnerable code resides in a fundamental Windows component rather than an optional desktop feature.
Microsoft's corrected build thresholds include:
  • Windows 11 24H2 must reach build 26100.8875 through KB5101650.
  • Windows 11 25H2 must reach build 26200.8875 through KB5101650.
  • Windows 10 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548 through KB5099539.
  • Windows Server 2019 must reach build 17763.9020 through KB5099538.
  • Windows Server 2022 must reach build 20348.5386 through KB5099540.
  • Windows Server 2025 must reach build 26100.33158 through KB5099536.
  • Windows Server 2016 and Windows 10 1607 must reach build 14393.9339 through KB5099535.
Windows Server 2012 and 2012 R2 remain listed because eligible systems can still receive Extended Security Updates. Administrators should verify that those machines are correctly enrolled rather than assuming an update will appear on an unsupported or improperly licensed installation.
For Windows 10 22H2, free consumer support ended on October 14, 2025. KB5099539 applies to Windows 10 ESU and supported LTSC releases, so unmanaged Windows 10 PCs without ESU enrollment cannot rely on ordinary Windows Update to close the vulnerability.

Patch Testing Still Has July-Specific Complications​

The NTFS correction arrives inside cumulative packages containing hundreds of other security fixes and servicing changes. It cannot normally be installed as a narrow, standalone NTFS patch, so enterprises must evaluate the complete July update against their application and hardware baselines.
Microsoft says KB5101650 may be temporarily unavailable to a limited number of Dell systems with Intel processors because of an incompatibility that can cause unexpected shutdowns, reduced performance, excess heat, and battery drain. Organizations with affected Dell fleets should track update availability rather than forcing deployment outside Microsoft's supported path.
Windows Server 2022 administrators also have a separate known issue to consider. Microsoft warns that systems using a specific, unrecommended BitLocker Group Policy configuration involving PCR7 may request the recovery key on the first restart after KB5099540. That issue is not caused by CVE-2026-50341 itself, but it can influence rollout planning for the cumulative package containing the fix.
Security teams should confirm successful installation by checking OS build numbers in winver, PowerShell inventory, Microsoft Intune, Configuration Manager, or their normal endpoint-management platform. Vulnerability scanners should be treated cautiously until their detection content recognizes the July 2026 build thresholds.
CVE-2026-50341 is not the headline zero-day from Microsoft's unusually large July release, but NTFS operates beneath nearly every routine Windows workload. The practical response is straightforward: deploy the July 14 cumulative update, verify the resulting build, and treat the advisory's “Confirmed” rating as validation of the bug—not evidence that exploitation has already occurred.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top