CVE-2026-50417 NTFS RCE Fixed in Windows July 2026 Updates

Microsoft has fixed CVE-2026-50417, a heap-based buffer overflow in Windows NTFS that can let an authenticated attacker execute code on a vulnerable PC or server. The flaw carries a CVSS 3.1 score of 7.8 and affects supported Windows releases from Windows Server 2012 through Windows Server 2025, as well as Windows 10 and current Windows 11 versions.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability is classified as a Windows NTFS Remote Code Execution vulnerability. However, Microsoft’s CVSS vector and the National Vulnerability Database description show that exploitation is local rather than network-based: an attacker needs low-level privileges on the target, but no additional user interaction once those privileges have been obtained.
The fix is included in Microsoft’s July 2026 cumulative security updates. Administrators should treat CVE-2026-50417 as a post-compromise risk and update endpoints, servers, virtual desktop infrastructure, and other Windows systems where untrusted users or applications can access NTFS-backed storage.

Cybersecurity infographic showing a heap buffer overflow, attack chain, NTFS warning, and patch deployment.The RCE Label Needs Careful Reading​

The words remote code execution normally suggest an attacker can send a malicious packet or file across the internet and immediately take control. CVE-2026-50417 does not have that attack profile, based on the technical information currently published by Microsoft and reflected by NIST.
Its CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, that means exploitation requires local access and low privileges, has low attack complexity, and does not depend on another user clicking a link, opening a document, or approving a prompt.
A successful attack can nevertheless have a severe outcome. Microsoft scores the potential effect on confidentiality, integrity, and availability as high, indicating that exploitation could allow an attacker to read protected information, alter data, run code, or disrupt the affected system.
That distinction matters for patch prioritization. CVE-2026-50417 is not presented as an unauthenticated wormable NTFS vulnerability, but it could become valuable in an exploit chain after an attacker compromises a standard account or gains an initial foothold through phishing, credential theft, a vulnerable application, or another Windows flaw.

A Heap Overflow Inside a Trusted File System​

Microsoft describes the underlying weakness as improper input validation leading to a heap-based buffer overflow in Windows NTFS. The vulnerability is associated with CWE-20, Improper Input Validation, and CWE-122, Heap-based Buffer Overflow.
A heap overflow occurs when software writes beyond the memory allocated for an object stored in the process heap. Depending on the surrounding memory layout and the attacker’s control over the data, corruption can cause anything from an application or operating-system crash to controlled code execution.
NTFS raises the stakes because it is Windows’ primary file system and operates as a deeply trusted operating-system component. Code that handles file-system structures, metadata, streams, permissions, and storage operations sits close to sensitive data and privileged system functions.
Microsoft has not publicly documented the exact malformed structure, NTFS operation, API call, or file-system object needed to trigger CVE-2026-50417. It has also not published proof-of-concept code or enough implementation detail for defenders to create a reliable vulnerability-specific detection rule from the advisory alone.
That lack of detail does not mean the vulnerability is speculative. Microsoft lists the report-confidence metric as confirmed, meaning detailed reports exist, functional reproduction is possible, or Microsoft has independently confirmed the flaw. The metric measures confidence in the technical finding; it does not indicate that attacks have been observed.
CISA’s initial SSVC data lists exploitation as none and assesses the issue as not readily automatable, while recognizing that the potential technical impact is total. As of July 15, 2026, there is no public evidence in the NVD record that CVE-2026-50417 is being exploited in the wild.

Windows 10 and Server Fleets Remain Exposed​

The affected-product list is broad. Microsoft’s CVE record identifies vulnerable builds across the following releases:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected when they remain on servicing channels eligible for the July updates.
  • Windows 11 versions 24H2, 25H2, and 26H1 are affected on both x64 and Arm64 systems.
  • Windows Server 2012 and Windows Server 2012 R2 are affected, including Server Core installations.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
  • Windows Server 2025 Server Core is affected alongside the Desktop Experience installation.
The record identifies fixed build thresholds rather than merely naming product families. Windows 11 24H2 must reach build 26100.8875, while Windows 11 25H2 must reach build 26200.8875. Microsoft delivers those builds through KB5101650, the July 14 cumulative update for both releases.
Windows 11 26H1 receives its fix in KB5101649, which advances that branch to build 28000.2525. Windows Server 2025 is fixed by KB5099536, bringing it to build 26100.33158.
Other fixed thresholds include build 14393.9339 for Windows 10 1607 and Windows Server 2016, build 17763.9020 for Windows 10 1809 and Windows Server 2019, and build 20348.5386 for Windows Server 2022. Windows 10 21H2 and 22H2 move to builds 19044.7548 and 19045.7548 respectively.
Windows Server 2012 and 2012 R2 require their corresponding Extended Security Updates. Their presence in Microsoft’s affected list should not be interpreted as a return to ordinary mainstream support; organizations still running them need the appropriate ESU entitlement and update path.

Patch the Foothold, Then Hunt for the Chain​

For enterprise IT, the immediate action is straightforward: deploy the July 14, 2026 security cumulative updates and verify that machines have reached or exceeded Microsoft’s fixed build numbers. Simply seeing an update installation marked successful is less useful than checking the resulting OS build through endpoint management, PowerShell inventory, Configuration Manager, Intune, Windows Update for Business reporting, or another asset-management platform.
Internet-facing exposure is not the main prioritization factor for this vulnerability. Systems deserve faster attention when they accept interactive logons from many users, run third-party code under restricted accounts, host shared workloads, or serve as stepping stones to more sensitive infrastructure.
That makes Remote Desktop Session Hosts, developer workstations, jump boxes, multi-user servers, virtual desktop hosts, and systems running user-supplied files or plugins particularly relevant. Domain controllers and critical application servers remain important because the consequences of code execution are greater, even though the published attack vector requires an existing low-privilege foothold.
Organizations unable to update immediately should reduce opportunities for untrusted users and processes to operate locally, review unexpected account creation and logon activity, and monitor crashes or unusual behavior involving file-system operations. Those controls are compensating measures, not substitutes for the security update; Microsoft has not documented a configuration workaround that fully removes the vulnerable NTFS code path.
The most important operational point is that confirmed does not mean actively exploited, while local does not mean harmless. CVE-2026-50417 currently looks like a high-impact building block for privilege-bearing attack chains, and the July cumulative updates are the only dependable boundary between an initial Windows foothold and whatever NTFS code execution could provide next.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top