Microsoft has patched CVE-2026-50362, a heap-based buffer overflow in the Windows Resilient File System that can let an unauthorized attacker execute code after a user interacts with malicious content. The flaw carries a CVSS 3.1 score of 7.8 and affects supported Windows client and server releases, including Windows 11 24H2, 25H2 and 26H1, plus Windows Server 2016 through Windows Server 2025.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability is classified as Important and described as a Windows Resilient File System remote code execution flaw. Despite that title, Microsoft’s CVSS vector identifies it as a local attack requiring user interaction, not a network service that can be compromised directly from the internet.
Administrators should deploy the July 2026 cumulative security updates rather than treating ReFS as a server-only concern. Microsoft’s affected-product data includes mainstream Windows 11 builds and older Windows 10 releases alongside Windows Server installations.
CVE-2026-50362 is categorized as CWE-122, a heap-based buffer overflow. This class of vulnerability occurs when software writes more data into a heap-allocated memory region than the region can safely hold, potentially corrupting nearby objects, pointers or control data.
Microsoft says successful exploitation could result in local code execution with high confidentiality, integrity and availability impact. The CVSS vector is
That vector supplies several important qualifications:
The requirement for user interaction limits the flaw’s reach, but it does not make exploitation harmless. Malicious disk images and crafted file-system content can be distributed through email, collaboration platforms, downloads or removable media, placing the vulnerable parsing code behind an otherwise ordinary user action.
The local attack-vector rating means an attacker must first get crafted content into a context where the target system processes it. The user-interaction requirement indicates that exploitation cannot be completed solely at the attacker’s initiative. Those conditions lower exposure compared with a wormable Windows service vulnerability, but they still leave room for phishing and targeted intrusion scenarios.
No privileges are required before exploitation. That distinction matters because the malicious content can reportedly be prepared and delivered by someone who has no valid account on the target computer. The attacker’s challenge is convincing a user or administrator to perform the necessary interaction.
CISA’s initial assessment lists no known exploitation and considers the vulnerability non-automatable, while assigning a total technical impact if exploitation succeeds. The National Vulnerability Database was still awaiting its own enrichment as of July 15, one day after Microsoft released the update.
There is therefore no evidence at publication time that CVE-2026-50362 is being exploited in the wild. There is also no public proof-of-concept exploit identified in the available advisories. Microsoft’s confirmation of the vulnerability and its low-complexity rating nevertheless give defenders a clear reason to patch before more technical information becomes available.
The affected branches and fixed build thresholds include:
The presence of Windows 11 in the affected list is particularly significant for endpoint teams. ReFS is closely associated with storage infrastructure, virtualization and workstation features, but vulnerable file-system code can be present even where users do not knowingly maintain an everyday ReFS data volume.
Asset inventories should therefore use operating-system build and update status as the primary check. Searching only for servers with existing ReFS-formatted drives risks missing vulnerable endpoints whose ReFS code could still be invoked when they encounter crafted content.
Organizations that cannot update immediately should apply additional scrutiny to unfamiliar disk images, virtual hard disks and removable storage, without presenting those controls as a proven workaround for this specific flaw. Email gateways and endpoint controls may help reduce delivery opportunities, but they do not correct the vulnerable ReFS implementation.
Security teams should also monitor for new technical analysis. A future proof of concept could clarify the triggering user action and reveal whether Windows automatically processes enough crafted metadata through common preview, mount or attachment workflows to make exploitation easier than the sparse advisory currently suggests.
For now, CVE-2026-50362 sits below the urgency of an actively exploited zero-day but above the threshold for routine deferral. Its low attack complexity, lack of a prerequisite account and potential for complete system compromise make the July 2026 cumulative update the only dependable remediation, especially on administrator workstations, virtualization hosts and Windows servers that routinely handle untrusted storage content.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability is classified as Important and described as a Windows Resilient File System remote code execution flaw. Despite that title, Microsoft’s CVSS vector identifies it as a local attack requiring user interaction, not a network service that can be compromised directly from the internet.
Administrators should deploy the July 2026 cumulative security updates rather than treating ReFS as a server-only concern. Microsoft’s affected-product data includes mainstream Windows 11 builds and older Windows 10 releases alongside Windows Server installations.
ReFS Processing Crosses a Memory Boundary
CVE-2026-50362 is categorized as CWE-122, a heap-based buffer overflow. This class of vulnerability occurs when software writes more data into a heap-allocated memory region than the region can safely hold, potentially corrupting nearby objects, pointers or control data.Microsoft says successful exploitation could result in local code execution with high confidentiality, integrity and availability impact. The CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, producing the 7.8 score.That vector supplies several important qualifications:
- The attack vector is local rather than network-based.
- Attack complexity is rated low.
- The attacker does not need existing privileges.
- A separate user must perform some action.
- Successful exploitation can have a high impact across confidentiality, integrity and availability.
The requirement for user interaction limits the flaw’s reach, but it does not make exploitation harmless. Malicious disk images and crafted file-system content can be distributed through email, collaboration platforms, downloads or removable media, placing the vulnerable parsing code behind an otherwise ordinary user action.
The “Remote Code Execution” Name Needs Context
Microsoft’s title follows its impact taxonomy: successful exploitation results in attacker-controlled code running on the affected machine. It does not mean an untrusted internet client can send one packet to an exposed ReFS volume and immediately take control.The local attack-vector rating means an attacker must first get crafted content into a context where the target system processes it. The user-interaction requirement indicates that exploitation cannot be completed solely at the attacker’s initiative. Those conditions lower exposure compared with a wormable Windows service vulnerability, but they still leave room for phishing and targeted intrusion scenarios.
No privileges are required before exploitation. That distinction matters because the malicious content can reportedly be prepared and delivered by someone who has no valid account on the target computer. The attacker’s challenge is convincing a user or administrator to perform the necessary interaction.
CISA’s initial assessment lists no known exploitation and considers the vulnerability non-automatable, while assigning a total technical impact if exploitation succeeds. The National Vulnerability Database was still awaiting its own enrichment as of July 15, one day after Microsoft released the update.
There is therefore no evidence at publication time that CVE-2026-50362 is being exploited in the wild. There is also no public proof-of-concept exploit identified in the available advisories. Microsoft’s confirmation of the vulnerability and its low-complexity rating nevertheless give defenders a clear reason to patch before more technical information becomes available.
Windows 11 and Server Builds Need the July Baseline
Microsoft’s affected-version records identify the first fixed build for each Windows branch. Systems running an earlier build remain vulnerable unless Microsoft has provided an equivalent update through a specialized servicing channel.The affected branches and fixed build thresholds include:
- Windows 11 24H2 is affected below build 26100.8875.
- Windows 11 25H2 is affected below build 26200.8875.
- Windows 11 26H1 is affected below build 28000.2525.
- Windows 10 22H2 is affected below build 19045.7548.
- Windows 10 21H2 is affected below build 19044.7548.
- Windows 10 version 1809 and Windows Server 2019 are affected below build 17763.9020.
- Windows 10 version 1607 and Windows Server 2016 are affected below build 14393.9339.
- Windows Server 2022 is affected below build 20348.5386.
- Windows Server 2025 is affected below build 26100.33158.
The presence of Windows 11 in the affected list is particularly significant for endpoint teams. ReFS is closely associated with storage infrastructure, virtualization and workstation features, but vulnerable file-system code can be present even where users do not knowingly maintain an everyday ReFS data volume.
Asset inventories should therefore use operating-system build and update status as the primary check. Searching only for servers with existing ReFS-formatted drives risks missing vulnerable endpoints whose ReFS code could still be invoked when they encounter crafted content.
Patch First, Investigate Exposure Second
Microsoft has provided an official fix, and the available public record does not identify a workaround that offers equivalent protection. The practical response is to install the July 14 cumulative updates, verify that systems reach the relevant fixed builds and restart them where required by the servicing process.Organizations that cannot update immediately should apply additional scrutiny to unfamiliar disk images, virtual hard disks and removable storage, without presenting those controls as a proven workaround for this specific flaw. Email gateways and endpoint controls may help reduce delivery opportunities, but they do not correct the vulnerable ReFS implementation.
Security teams should also monitor for new technical analysis. A future proof of concept could clarify the triggering user action and reveal whether Windows automatically processes enough crafted metadata through common preview, mount or attachment workflows to make exploitation easier than the sparse advisory currently suggests.
For now, CVE-2026-50362 sits below the urgency of an actively exploited zero-day but above the threshold for routine deferral. Its low attack complexity, lack of a prerequisite account and potential for complete system compromise make the July 2026 cumulative update the only dependable remediation, especially on administrator workstations, virtualization hosts and Windows servers that routinely handle untrusted storage content.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com