CVE-2026-50386 NTFS RCE Fixed in KB5101650 and KB5099539

Microsoft has fixed CVE-2026-50386, an Important-rated heap buffer overflow in Windows NTFS that can lead to code execution when a user interacts with malicious content. The correction arrived in the July 14, 2026 cumulative Windows updates, including KB5101650 for Windows 11 24H2 and 25H2 and KB5099539 for supported Windows 10 installations.
Despite Microsoft’s “Windows NTFS Remote Code Execution Vulnerability” title, this is not a network-reachable, zero-click compromise. Microsoft’s CVSS vector classifies the attack as local and requiring user interaction, meaning an attacker must first persuade someone to open, mount, or otherwise process specially crafted content.
Microsoft assigned CVE-2026-50386 a CVSS 3.1 base score of 7.8. The company’s disclosure, reflected in the National Vulnerability Database, identifies the underlying weakness as CWE-122, a heap-based buffer overflow, and describes a successful attack as capable of compromising confidentiality, integrity, and availability.
As of the original July 14 disclosure, Microsoft assessed exploitation as less likely. The vulnerability was not publicly disclosed before the update and Microsoft reported no evidence that attackers were exploiting it in the wild.

Cybersecurity illustration showing NTFS protection against malware from external drives and network threats.The “Remote” Label Needs Qualification​

The vulnerability’s name sounds like an attacker can send traffic directly to an exposed Windows machine and take control. Its CVSS vector tells a more constrained story: AV:L indicates a local attack vector, PR:N means the attacker does not need prior privileges, and UI:R confirms that another user must take an action.
That combination is consistent with a malicious-file or crafted-storage attack rather than a wormable NTFS service exposed to the internet. An attacker could package malformed filesystem data into content delivered through email, instant messaging, a download, removable media, or another social-engineering route. Windows would then have to process that data through the vulnerable NTFS code path.
The distinction matters for triage. Administrators do not need to treat CVE-2026-50386 like an unauthenticated SMB or TCP/IP vulnerability that can be exploited simply by reaching a listening port. They should instead consider where untrusted files, disk images, virtual disks, backup media, and removable storage are routinely handled.
“Local” does not mean harmless. The absence of a privilege requirement means an attacker does not need an existing account on the target before presenting the malicious content, and successful exploitation could execute attacker-controlled code in the security context of the affected process. The user-interaction requirement lowers immediacy, but phishing and malicious attachments remain common ways of satisfying precisely that condition.

NTFS Makes the Blast Radius Broad​

NTFS is the default filesystem across mainstream Windows client and server deployments, so CVE-2026-50386 affects a long span of Windows releases. Microsoft’s affected-product data includes Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 24H2, 25H2, and 26H1; and Windows Server releases extending through Windows Server 2025, including Server Core installations.
The fixed build thresholds provide a practical way to verify deployment. Windows 11 24H2 must be updated to build 26100.8875, while Windows 11 25H2 moves to build 26200.8875 through KB5101650. Supported Windows 10 21H2 and 22H2 systems receive builds 19044.7548 and 19045.7548 through KB5099539.
Windows Server 2022 receives KB5099540 and advances to build 20348.5386. Windows Server 2025 is also covered by the July cumulative update, as are older server versions still receiving security servicing through applicable support or extended-security channels.
Because Windows updates are cumulative, organizations do not need a separate NTFS hotfix solely for CVE-2026-50386. Installing the appropriate July 2026 cumulative security update—or a later update that supersedes it—delivers the correction.
That broad coverage also means inventory accuracy matters. Windows 10 devices still operating under Extended Security Updates should not be confused with unsupported consumer installations, and older Windows Server machines may depend on specific servicing channels. A vulnerability scanner showing CVE-2026-50386 should be checked against the installed OS build and not merely the visible Windows marketing version.

July’s NTFS Queue Is Larger Than One CVE​

CVE-2026-50386 is one of numerous NTFS issues addressed in Microsoft’s unusually large July 2026 security release. As catalogued by BleepingComputer and the Zero Day Initiative, the month includes multiple NTFS remote-code-execution, elevation-of-privilege, and information-disclosure vulnerabilities.
That concentration changes how defenders should approach testing. Rather than validating only whether a scanner clears CVE-2026-50386, IT teams should confirm that the complete cumulative update has installed successfully and that machines are no longer reporting any of the superseded NTFS findings from the July release.
It also makes attempts to isolate one vulnerable NTFS function less useful. Microsoft has not published enough technical detail to derive a reliable file-extension block, storage policy, or registry workaround for this specific heap overflow. Blocking one type of attachment could provide false assurance if the vulnerable parser is reachable through another container or filesystem workflow.
Until every endpoint is patched, established controls remain the practical fallback:
  • Users should not open unexpected disk images, archives, virtual-drive files, or attachments from untrusted sources.
  • Email and web gateways should continue scanning compressed and containerized content rather than relying only on filename extensions.
  • Security teams should monitor unusual child processes launched after users mount media or open downloaded storage-related files.
  • Administrators should restrict removable-media use on systems where untrusted devices are not operationally necessary.
  • Servers that routinely ingest customer uploads, backup sets, virtual disks, or forensic images should receive earlier attention than systems with tightly controlled input.
These controls reduce exposure but do not replace the update. Heap corruption can produce unpredictable results, and a defensive product may see only the later stages of exploitation rather than the malformed NTFS data that triggered it.

Patch Testing Has Its Own July Complications​

For most PCs, the direct action is to install KB5101650 on Windows 11 24H2 or 25H2 and KB5099539 on eligible Windows 10 systems. Microsoft currently lists no general known issue for either of those client updates, although KB5101650 was temporarily unavailable to a limited set of Dell devices with Intel processors because of a separate compatibility investigation involving shutdowns, heat, performance, and battery drain.
Server administrators have an additional deployment concern. Microsoft says some Windows Server 2022 systems with an unrecommended BitLocker Group Policy configuration may request the recovery key on the first restart after KB5099540. The condition involves OS-drive BitLocker, explicit PCR7 inclusion, an unavailable PCR7 binding, and deployment of the newer Windows UEFI CA 2023 certificate.
That is not a reason to leave an NTFS code-execution vulnerability unpatched. It is a reason to verify BitLocker recovery-key escrow and audit the relevant PCR policy before rebooting production servers.
The July cumulative updates also introduce networking hardening that can disrupt applications using unregistered third-party Transport Driver Interface transports. Organizations testing legacy networking, storage, backup, or monitoring agents should distinguish those compatibility changes from the NTFS security fix rather than assuming any post-update failure is caused by CVE-2026-50386 remediation.
Microsoft currently considers exploitation less likely, but the vulnerability is confirmed, carries a 7.8 score, and sits in a filesystem component present across most Windows estates. The useful dividing line is the installed build: Windows 11 systems below 26100.8875 or 26200.8875, Windows 10 systems below 19044.7548 or 19045.7548, and affected servers below their July 14 servicing levels remain exposed.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top