CVE-2026-50401 exposes information through an out-of-bounds read in the Windows Cloud Files Mini Filter Driver, affecting supported editions of Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Microsoft addressed the flaw in its July 14, 2026 security updates, making deployment of the corresponding cumulative update the primary remediation.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability requires an attacker to already have local access and low-level privileges. It does not require user interaction, and successful exploitation could produce a high confidentiality impact without directly changing data or disrupting system availability.
Microsoft assigned CVE-2026-50401 a CVSS 3.1 base score of 5.5, placing it in the Medium severity range. That score should not obscure the practical risk on shared systems, administrative workstations, remote desktop hosts, and servers where sensitive information exposed from kernel memory could assist a larger attack chain.
The Windows Cloud Files Mini Filter Driver supports the operating system’s cloud-file infrastructure. Commonly associated with the
CVE-2026-50401 is classified as CWE-125, an out-of-bounds read. This class of bug occurs when software reads beyond the intended boundary of a memory object, potentially returning adjacent data that should not have been available to the requesting process.
Microsoft’s CVSS vector is
That distinction matters. CVE-2026-50401 is not described as a remote code-execution or privilege-escalation vulnerability, and the available vendor description does not establish that it grants SYSTEM access. Instead, an attacker who has already obtained a foothold could potentially use the driver flaw to retrieve information that would normally remain inaccessible.
The exposed material has not been publicly characterized in Microsoft’s brief advisory. Administrators should therefore avoid assuming that the issue can reveal a particular password, token, encryption key, file, or kernel address. The defensible conclusion is narrower: vulnerable builds may disclose sensitive local information because the driver can read memory outside an intended boundary.
The relevant July 2026 update levels include:
For administrators, inventory should be based on the installed OS build rather than simply whether Windows Update reports that a device was checked recently. Running
Windows 10 adds a servicing wrinkle. Version 22H2 reached the end of standard support on October 14, 2025, so ordinary consumer and commercial installations require enrollment in the Windows 10 Extended Security Updates program to continue receiving fixes such as KB5099539. Windows 10 Enterprise LTSC and IoT Enterprise LTSC editions follow their separate support lifecycles.
For CVE-2026-50401, Microsoft is the assigning authority and has issued an official fix. The vendor description, weakness classification, affected-version ranges, and patched builds provide direct confirmation that the defect exists. That supports a confirmed confidence assessment rather than a speculative or uncorroborated report.
The other CVSS fields carry the operational meaning. Local attack vector and low privileges reduce exposure compared with an unauthenticated network vulnerability, while low attack complexity and no required user interaction make exploitation more straightforward after an attacker reaches the machine. The high confidentiality impact explains why the score remains 5.5 even though integrity and availability impacts are listed as none.
At publication, the NVD entry remains marked as awaiting enrichment and does not provide its own independent CVSS assessment. Its displayed 5.5 score and vector originate from Microsoft. Public information also remains sparse on the exact malformed request, the data structures involved, and the type of information that can be recovered.
That lack of technical detail should temper speculation, not patching. Kernel information disclosures are frequently useful as supporting primitives because protected memory contents or address information can help an attacker bypass defensive assumptions or improve the reliability of another exploit. There is not enough public evidence to say that CVE-2026-50401 provides such a capability in a specific attack chain, but defenders should not treat confidentiality-only driver bugs as harmless.
Disabling
Organizations should prioritize systems where untrusted or semi-trusted users can obtain interactive sessions. That includes Remote Desktop Session Hosts, jump boxes, shared engineering workstations, virtual desktop infrastructure, and servers running workloads under multiple service identities. A local disclosure flaw becomes more valuable when many security contexts coexist on the same Windows installation.
Deployment teams should also test the wider July cumulative update rather than evaluating CVE-2026-50401 in isolation. The same packages contain other security fixes and servicing changes, and Microsoft’s July release notes should be checked for known issues relevant to storage filters, third-party transports, endpoint security agents, and business applications.
The immediate verification target is simple: Windows 11 24H2 should report build 26100.8875 or later, Windows 11 25H2 should report 26200.8875 or later, Windows Server 2022 should report 20348.5386 or later, and Windows Server 2025 should report 26100.33158 or later. Any managed device still below its applicable threshold remains exposed to CVE-2026-50401 until the July 14, 2026 update—or a later cumulative update containing the same fix—is successfully installed.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability requires an attacker to already have local access and low-level privileges. It does not require user interaction, and successful exploitation could produce a high confidentiality impact without directly changing data or disrupting system availability.
Microsoft assigned CVE-2026-50401 a CVSS 3.1 base score of 5.5, placing it in the Medium severity range. That score should not obscure the practical risk on shared systems, administrative workstations, remote desktop hosts, and servers where sensitive information exposed from kernel memory could assist a larger attack chain.
A Local Flaw With Kernel-Level Consequences
The Windows Cloud Files Mini Filter Driver supports the operating system’s cloud-file infrastructure. Commonly associated with the cldflt.sys driver, this component participates in the handling of cloud-backed placeholders and file hydration operations used by services such as OneDrive and other applications built on the Windows Cloud Files API.CVE-2026-50401 is classified as CWE-125, an out-of-bounds read. This class of bug occurs when software reads beyond the intended boundary of a memory object, potentially returning adjacent data that should not have been available to the requesting process.
Microsoft’s CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation is local, has low attack complexity, requires low privileges, and does not need another user to click a link or open a malicious document. The stated impact is limited to confidentiality, but Microsoft rates that confidentiality loss as high.That distinction matters. CVE-2026-50401 is not described as a remote code-execution or privilege-escalation vulnerability, and the available vendor description does not establish that it grants SYSTEM access. Instead, an attacker who has already obtained a foothold could potentially use the driver flaw to retrieve information that would normally remain inaccessible.
The exposed material has not been publicly characterized in Microsoft’s brief advisory. Administrators should therefore avoid assuming that the issue can reveal a particular password, token, encryption key, file, or kernel address. The defensible conclusion is narrower: vulnerable builds may disclose sensitive local information because the driver can read memory outside an intended boundary.
July Updates Establish the Safe Build Line
Microsoft’s affected-version data provides concrete build thresholds for CVE-2026-50401. Systems below the listed builds remain within the vulnerable ranges, while the July security releases move supported devices to the corrected versions.The relevant July 2026 update levels include:
- Windows 10 version 1809 and Windows Server 2019 are corrected by KB5099538, which advances the operating system to build 17763.9020.
- Windows 10 versions 21H2 and 22H2 are corrected by KB5099539, producing builds 19044.7548 and 19045.7548.
- Windows 11 versions 24H2 and 25H2 are corrected by KB5101650, producing builds 26100.8875 and 26200.8875.
- Windows Server 2022 is corrected by KB5099540, which advances the operating system to build 20348.5386.
- Windows Server 2025 is corrected by KB5099536, which advances the operating system to build 26100.33158.
- Windows 11 version 26H1 is outside the affected range once it reaches the applicable serviced build at or above 28000.2269.
For administrators, inventory should be based on the installed OS build rather than simply whether Windows Update reports that a device was checked recently. Running
winver provides a quick manual check, while PowerShell, Configuration Manager, Windows Update for Business reports, or an endpoint-management platform can identify systems below the required build across a fleet.Windows 10 adds a servicing wrinkle. Version 22H2 reached the end of standard support on October 14, 2025, so ordinary consumer and commercial installations require enrollment in the Windows 10 Extended Security Updates program to continue receiving fixes such as KB5099539. Windows 10 Enterprise LTSC and IoT Enterprise LTSC editions follow their separate support lifecycles.
Report Confidence Is Not an Exploitability Rating
The supplied metric text describes the CVSS Report Confidence field, which addresses how firmly the vulnerability’s existence and technical claims have been established. It does not measure how easy the bug is to exploit, how damaging an intrusion would be, or whether attacks have been observed.For CVE-2026-50401, Microsoft is the assigning authority and has issued an official fix. The vendor description, weakness classification, affected-version ranges, and patched builds provide direct confirmation that the defect exists. That supports a confirmed confidence assessment rather than a speculative or uncorroborated report.
The other CVSS fields carry the operational meaning. Local attack vector and low privileges reduce exposure compared with an unauthenticated network vulnerability, while low attack complexity and no required user interaction make exploitation more straightforward after an attacker reaches the machine. The high confidentiality impact explains why the score remains 5.5 even though integrity and availability impacts are listed as none.
At publication, the NVD entry remains marked as awaiting enrichment and does not provide its own independent CVSS assessment. Its displayed 5.5 score and vector originate from Microsoft. Public information also remains sparse on the exact malformed request, the data structures involved, and the type of information that can be recovered.
That lack of technical detail should temper speculation, not patching. Kernel information disclosures are frequently useful as supporting primitives because protected memory contents or address information can help an attacker bypass defensive assumptions or improve the reliability of another exploit. There is not enough public evidence to say that CVE-2026-50401 provides such a capability in a specific attack chain, but defenders should not treat confidentiality-only driver bugs as harmless.
Patch the Driver Instead of Disabling Cloud Files
The appropriate remediation is to install the July cumulative security update for the affected Windows release. Microsoft distributes these packages through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services according to the servicing channel available for each product.Disabling
cldflt.sys is not a generally suitable substitute. The driver is part of Windows cloud-file functionality, and removing it from service can interfere with OneDrive Files On-Demand and applications that rely on Cloud Files placeholders. Microsoft’s published resolution is an operating-system update, not a registry workaround or a recommendation to remove cloud synchronization software.Organizations should prioritize systems where untrusted or semi-trusted users can obtain interactive sessions. That includes Remote Desktop Session Hosts, jump boxes, shared engineering workstations, virtual desktop infrastructure, and servers running workloads under multiple service identities. A local disclosure flaw becomes more valuable when many security contexts coexist on the same Windows installation.
Deployment teams should also test the wider July cumulative update rather than evaluating CVE-2026-50401 in isolation. The same packages contain other security fixes and servicing changes, and Microsoft’s July release notes should be checked for known issues relevant to storage filters, third-party transports, endpoint security agents, and business applications.
The immediate verification target is simple: Windows 11 24H2 should report build 26100.8875 or later, Windows 11 25H2 should report 26200.8875 or later, Windows Server 2022 should report 20348.5386 or later, and Windows Server 2025 should report 26100.33158 or later. Any managed device still below its applicable threshold remains exposed to CVE-2026-50401 until the July 14, 2026 update—or a later cumulative update containing the same fix—is successfully installed.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org