CVE-2026-50357: July Updates Fix Windows ReFS Privilege Escalation

CVE-2026-50357, a Windows Resilient File System elevation-of-privilege vulnerability fixed in Microsoft’s July 14, 2026 security updates, allows a locally authenticated attacker to execute code with substantially greater control over an affected machine. Microsoft rates the flaw Important, while its CVSS 3.1 base score of 7.8 reflects the possibility of high-impact compromise across confidentiality, integrity, and availability.
Detailed in Microsoft’s Security Update Guide and subsequently recorded by the National Vulnerability Database, the vulnerability stems from a numeric truncation error inside Windows ReFS. It affects supported Windows 10, Windows 11, and Windows Server releases, including Server Core installations.
Administrators should deploy the July cumulative updates rather than treating the lack of known exploitation as a reason to wait. This is not a remotely exploitable, pre-authentication attack, but it could become a useful second stage after an attacker obtains an ordinary account or another vulnerability provides initial access.

Cybersecurity graphic showing a ReFS server, privilege escalation, and a numeric truncation vulnerability alert.A Local Bug With System-Level Consequences​

Microsoft describes CVE-2026-50357 as a ReFS elevation-of-privilege vulnerability. The underlying weakness is categorized as CWE-197, or numeric truncation error, which occurs when a value is converted into a smaller numeric type and loses information in the process.
In filesystem code, that kind of mistake can be especially consequential. Windows must safely process sizes, offsets, allocation data, metadata, and other values that cross trust boundaries between user mode and privileged operating-system components. Incorrectly reducing one of those values can undermine validation or memory handling, potentially giving an attacker a path to execute code in a more privileged context.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires local access and low-level existing privileges, but it does not require a victim to click a file, approve a prompt, or otherwise interact with the attack.
The attack complexity is rated low. That designation does not mean a working exploit is necessarily simple to create; it means Microsoft has not identified special conditions outside the attacker’s control that must be present for exploitation to succeed.
A successful attack could have a high impact on all three major security properties. Depending on the privileges obtained and the exploit’s reliability, an attacker could potentially access protected information, alter system data, disable security controls, establish persistence, or disrupt the machine.

The ReFS Label Does Not Limit Exposure to File Servers​

ReFS is strongly associated with Windows Server, Storage Spaces, virtualization infrastructure, and large data volumes. That association may tempt desktop administrators to assume the issue matters only when a machine actively hosts an ReFS-formatted volume.
Microsoft’s affected-product data paints a broader picture. Vulnerable builds span multiple client and server generations:
  • Windows 10 version 1607 builds earlier than 14393.9339 are affected.
  • Windows 10 version 1809 and Windows Server 2019 builds earlier than 17763.9020 are affected.
  • Windows 10 versions 21H2 and 22H2 builds earlier than 19044.7548 and 19045.7548, respectively, are affected.
  • Windows Server 2022 builds earlier than 20348.5386 are affected.
  • Windows 11 versions 24H2 and 25H2 builds earlier than 26100.8875 and 26200.8875, respectively, are affected.
  • Windows 11 version 26H1 builds earlier than 28000.2525 are affected.
  • Windows Server 2025 builds earlier than 26100.33158 are affected.
Windows Server 2016 and corresponding Server Core deployments are also covered, with fixed builds beginning at 14393.9339. Microsoft’s product records include both full desktop and Server Core installation options where applicable.
These version boundaries are more useful than checking only whether an administrator remembers creating an ReFS volume. Windows security servicing is cumulative, and Microsoft distributes the correction through the operating system’s regular security update rather than as a separate ReFS package.
For inventory and compliance purposes, the decisive question is whether each machine has reached the fixed build for its Windows release. Administrators can check that through winver, PowerShell, endpoint-management inventory, Windows Update reporting, or their organization’s normal vulnerability-management platform.

No Exploitation Is Known, but the Technical Impact Is Total​

Microsoft had not reported active exploitation or public disclosure when the advisory was published on July 14. The SANS Internet Storm Center’s July Patch Tuesday tracking likewise listed CVE-2026-50357 as neither publicly disclosed nor exploited.
CISA’s vulnerability metadata assigns the issue an exploitation status of “none” and says the attack is not readily automatable. At the same time, CISA characterizes the potential technical impact as total, consistent with Microsoft’s assessment that successful exploitation can produce high confidentiality, integrity, and availability damage.
That combination calls for measured urgency. CVE-2026-50357 is not an Internet-facing emergency on the level of an unauthenticated remote-code-execution vulnerability in a widely exposed service. Firewalls and perimeter controls, however, do little to stop an attacker who already has local access through stolen credentials, malware, a compromised remote-management account, or another security flaw.
Privilege-escalation vulnerabilities frequently become valuable parts of attack chains. Initial access may leave an intruder confined to a standard user context, application sandbox, or restricted service account. A local flaw with low attack complexity and no user-interaction requirement can provide the bridge from that foothold to broader control.
The advisory’s confirmed report confidence should also be interpreted correctly. The explanatory text displayed in Microsoft’s Security Update Guide describes what the metric means in general; it is not evidence that exploit code has been released. “Confirmed” means Microsoft has sufficient confidence that the vulnerability and its technical basis are real, not that attacks have been observed in the wild.
The National Vulnerability Database was still awaiting its own enrichment analysis immediately after publication. Its current entry relies on Microsoft’s description, affected-version information, CWE classification, and CVSS score rather than an independent NVD severity calculation.

July’s Cumulative Update Is the Remediation​

Microsoft has issued an official fix, so the appropriate response is to install the July 2026 cumulative security update for each affected Windows version. There is no separately documented configuration workaround that provides equivalent protection.
Enterprise teams should prioritize systems where an existing foothold would have an outsized impact. That includes virtualization hosts, backup servers, storage infrastructure, multi-user systems, administrative workstations, and servers accessible to contractors or lower-trust accounts. Machines using ReFS for production workloads deserve particular attention because filesystem-dependent maintenance and recovery windows can be harder to schedule.
Standard deployment discipline still applies. Organizations should validate the cumulative updates against storage drivers, backup software, antivirus filters, deduplication tooling, clustering configurations, and applications that interact intensively with ReFS. Testing should be prompt, but not skipped on systems whose availability depends on a complex storage stack.
After deployment, teams should verify the resulting OS build rather than relying solely on an update job’s success status. Failed installations, pending restarts, supersedence errors, and devices that have stopped checking in can all leave a nominally compliant environment below the fixed build.
CVE-2026-50357 currently requires an attacker to be on the machine before it becomes useful, and there is no evidence of active exploitation. The practical deadline is therefore governed by exposure and patch cadence—but every affected Windows endpoint and server should cross its fixed-build threshold before the flaw gains public technical detail or becomes another dependable tool in post-compromise attack chains.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top