CVE-2026-50402: Patch Windows NTFS Privilege Escalation

Microsoft has patched CVE-2026-50402, a high-severity elevation-of-privilege vulnerability in Windows NTFS that could let an attacker with existing local access gain greater control of a system. The flaw carries a CVSS 3.1 score of 7.8 and affects supported Windows client and server releases, including Windows 11 24H2, 25H2, and 26H1, as well as Windows Server 2012 through Windows Server 2025.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability stems from an incorrect conversion between numeric types inside NTFS. Microsoft’s CVE record confirms the vulnerability and identifies security updates that raise affected systems to fixed build levels, making this a confirmed product defect rather than a tentative report based solely on third-party research.
The immediate response is straightforward: install the July 2026 Windows security updates and verify that endpoints have reached the remediated build for their release. Microsoft has not reported active exploitation or public disclosure, and its exploitability assessment describes exploitation as less likely, but the bug’s low attack complexity and potential impact make deferred patching difficult to justify on multi-user systems.

Cybersecurity infographic showing CVE-2026-50402 protection, NTFS privilege escalation, and patched Windows systems.Local Access Is the Gate, Not the Safety Net​

CVE-2026-50402 is not a drive-by vulnerability and cannot, on its own, be exploited anonymously over a network. Microsoft’s CVSS vector specifies local access, low attack complexity, low privileges, and no user interaction: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
That combination describes a post-compromise vulnerability. An attacker must first obtain permission to execute code locally, whether through a compromised standard account, malicious software, an exposed service, or another vulnerability. CVE-2026-50402 could then provide the privilege jump needed to move beyond the original account’s restrictions.
This distinction matters, but it should not be mistaken for a strong mitigation. Workstations routinely execute code in non-administrative user contexts, while shared servers may host applications, service accounts, remote sessions, development tools, or virtual desktop users. A flaw that converts limited execution into elevated execution can turn an otherwise contained breach into a system-level incident.
The CVSS impact values are high across confidentiality, integrity, and availability. Microsoft’s assessment indicates that successful exploitation could allow extensive access to protected data, modification of system resources, and disruption of the affected machine, while the unchanged scope means the security impact remains within the vulnerable Windows system.
No victim interaction is required after the attacker has local execution. There is no malicious-document prompt or consent dialog built into the CVSS scenario, reducing the number of moving parts an exploit would need once an attacker is present on the endpoint.

The Defect Sits in a Widely Used Windows Component​

Microsoft describes the root cause as an incorrect conversion between numeric types in NTFS. The CVE record maps the flaw to CWE-681, Incorrect Conversion between Numeric Types, and CWE-126, Buffer Over-read.
Numeric conversion defects can occur when code interprets a value using a type that cannot safely represent its original size, range, or signedness. In low-level filesystem code, the resulting calculation can cause subsequent memory operations to use an invalid length, offset, or boundary. Microsoft has not published enough technical detail to identify the exact NTFS operation or data structure involved in CVE-2026-50402.
The accompanying buffer-over-read classification suggests that the faulty conversion can lead code to read beyond an intended memory boundary. That description helps categorize the weakness, but it is not a public exploitation recipe. There is currently no vendor-supplied proof of concept, trigger-file description, or detailed account of which NTFS interface reaches the vulnerable path.
NTFS makes the breadth of the affected-product list unsurprising. It remains the standard filesystem for Windows system volumes and is involved in ordinary file, directory, metadata, permission, and storage operations. A vulnerability in this layer can consequently cross workstation and server boundaries even when the attack itself requires local access.
CVE-2026-50402 was also one of many NTFS vulnerabilities addressed in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer’s Patch Tuesday catalog lists multiple NTFS elevation-of-privilege, remote-code-execution, and information-disclosure fixes, indicating that administrators should treat the cumulative Windows update as the remediation unit rather than attempting to isolate this single correction.

Fixed Builds Span Current and Legacy Windows Fleets​

Microsoft’s affected-version data establishes the first remediated builds for each Windows branch. Systems below these thresholds remain vulnerable unless an equivalent or superseding update has been installed.
  • Windows 11 24H2 is affected before build 26100.8875.
  • Windows 11 25H2 is affected before build 26200.8875.
  • Windows 11 26H1 is affected before build 28000.2269.
  • Windows 10 22H2 is affected before build 19045.7548.
  • Windows 10 21H2 is affected before build 19044.7548.
  • Windows 10 version 1809 and Windows Server 2019 are affected before build 17763.9020.
  • Windows 10 version 1607 and Windows Server 2016 are affected before build 14393.9339.
  • Windows Server 2022 is affected before build 20348.5386.
  • Windows Server 2025 is affected before build 26100.33158.
  • Windows Server 2012 is affected before build 9200.26226, while Windows Server 2012 R2 is affected before build 9600.23291.
Server Core installations are included for Windows Server 2012, 2012 R2, 2016, 2019, and 2025 where listed by Microsoft. The absence of a desktop shell therefore does not remove exposure; the vulnerable component is part of the operating system rather than an optional graphical application.
The inclusion of Windows 10 21H2, Windows 10 22H2, and Windows Server 2012-era systems also requires attention to servicing eligibility. Devices running editions outside normal support will not necessarily receive fixes merely because a remediated build exists. Administrators should confirm that Extended Security Updates or the appropriate servicing channel is active instead of relying only on a successful Windows Update scan.
Build verification can be performed through winver, PowerShell, endpoint-management inventory, or the operating-system build fields collected by Microsoft Intune, Configuration Manager, Windows Server Update Services, and third-party management platforms. For enterprise reporting, checking the build number is more reliable than recording that a July update was “approved,” since approval does not prove installation and restart completion.

Confidence Does Not Equal Exploitation​

The vulnerability information has a high degree of confidence because Microsoft, the product vendor, acknowledged the defect, assigned the CVE, supplied a technical classification, listed affected versions, and shipped corrected builds. The National Vulnerability Database received the record from Microsoft and, as of July 15, was still awaiting its own enrichment assessment.
That confidence says the vulnerability is real and the remediation is defined. It does not mean attackers are currently exploiting it.
Microsoft’s Patch Tuesday data marks CVE-2026-50402 as not publicly disclosed and not exploited, with exploitation assessed as less likely. CISA’s initial Stakeholder-Specific Vulnerability Categorization record likewise listed no observed exploitation, although it judged exploitation automatable and the potential technical impact total. Those fields can change if proof-of-concept code, technical research, or incident evidence appears after publication.
The lack of known exploitation lowers the case for emergency disruption outside normal change controls, especially compared with the actively exploited vulnerabilities in the same July release. It does not support leaving the update pending indefinitely. Local privilege-escalation vulnerabilities are often chained with phishing, browser, document, application, or remote-service flaws that supply the initial foothold they cannot obtain themselves.
Organizations should prioritize shared hosts, remote desktop infrastructure, developer workstations, jump servers, and endpoints where users can execute downloaded applications. Security teams should also watch for unexpected privileged process creation, service installation, security-control tampering, and unusual activity originating from standard user sessions, rather than expecting an NTFS-specific alert to identify exploitation.
For most managed environments, CVE-2026-50402 belongs in the normal accelerated Patch Tuesday cycle: test the July cumulative updates, deploy them to exposed and multi-user systems first, complete required restarts, and confirm the resulting OS builds. The decisive milestone is not update approval but evidence that vulnerable Windows installations have crossed Microsoft’s fixed-build thresholds.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top