CVE-2026-50422, a newly patched Windows NTFS elevation-of-privilege vulnerability, allows a locally authenticated attacker to gain higher privileges through an out-of-bounds read in the file-system component. Microsoft released the fix on July 14, 2026, as part of its monthly security updates, assigning the flaw a CVSS 3.1 base score of 7.8 and an Important severity rating.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability affects supported Windows client and server releases across multiple generations. Administrators should deploy the July cumulative updates rather than treating this as a narrowly scoped NTFS issue: the affected code is part of the operating system, and Microsoft has not published a separate workaround.
Microsoft’s initial assessment says exploitation has not been detected. CISA’s accompanying SSVC record likewise lists exploitation as “none” and says automated exploitation is not expected, but it classifies the potential technical impact as total.
CVE-2026-50422 is not remotely exploitable over the network by itself. Microsoft’s CVSS vector —
That requirement materially changes the immediate risk. An unauthenticated attacker cannot simply direct network traffic at an exposed Windows system and trigger the NTFS defect, and the vulnerability does not require another user to open a file, approve a prompt, or perform any other action.
The absence of user interaction still makes the flaw useful after an initial compromise. Malware operating under a standard account could potentially exploit CVE-2026-50422 to escape the restrictions placed on that account, reaching privileges that enable credential theft, security-control tampering, persistence, or access to protected system data.
This is the familiar role of a local elevation-of-privilege vulnerability in a multi-stage intrusion. A phishing attachment, stolen Remote Desktop credential, vulnerable application, or malicious insider provides the foothold; the NTFS flaw could then provide the step upward.
Microsoft has not released sufficient technical detail to show exactly which NTFS operation triggers the vulnerable read or how reliable exploitation would be. There is also no public proof-of-concept identified in the initial advisories, so claims about a specific exploit sequence should be treated cautiously.
An out-of-bounds read is sometimes associated primarily with information disclosure or process crashes. In this case, however, Microsoft has explicitly classified the result as elevation of privilege and scored all three impact categories — confidentiality, integrity, and availability — as high.
That distinction matters. The CVSS score is not describing a harmless disclosure of a few bytes from a user-mode application. Microsoft’s assessment indicates that successful exploitation can cross a meaningful security boundary and produce extensive consequences on the compromised system.
The attack complexity is rated low, meaning Microsoft does not believe exploitation depends on specialized conditions outside the attacker’s control. That does not necessarily mean a working exploit is simple to create: turning a kernel-adjacent memory error into dependable privilege escalation can require substantial reverse engineering. It does mean that, once the necessary technique is developed, unusual deployment conditions are not expected to be a major obstacle.
CISA’s “not automatable” assessment offers some reassurance at internet scale, but it should not be read as a reason to postpone patching. That designation reflects the current characteristics of the vulnerability and available knowledge, not a guarantee that attackers cannot package exploitation into malware or post-compromise tooling.
Confirmed affected client releases include:
Some of these Windows 10 and Windows Server versions are no longer supported for ordinary consumer or mainstream deployments. Their appearance in the CVE record does not mean every installation automatically receives the update through standard Windows Update. Organizations using Extended Security Updates, Long-Term Servicing Channel releases, or other specialized servicing programs must confirm that the correct July package is available and assigned to each device group.
For Windows 11 version 26H1, the applicable July update is KB5101649, which advances the operating system to build 28000.2525. Windows 10 version 1607 moves to build 14393.9339 through KB5099535, while Windows 10 version 1809 moves to build 17763.9020 through KB5099538.
Administrators should use the OS build as the final verification point rather than relying solely on a management console reporting that a July update was offered. A device can remain below the fixed build because an update failed, was rolled back, is awaiting a restart, or was withheld by a deployment ring.
The vulnerability is also relevant to servers that appear protected because ordinary users cannot administer them. Least privilege limits an attacker’s starting position, but local escalation flaws are designed specifically to defeat that separation after an account or application has been compromised.
Deployment teams should prioritize the normal July 2026 cumulative security update, verify that the machine reaches the fixed build, and monitor for installation failures or unexpected rollbacks. Endpoint detection policies should continue to flag suspicious behavior by low-privileged processes, particularly attempts to spawn privileged children, alter protected services, access credential material, or disable security tools.
There is currently no evidence that CVE-2026-50422 is under active attack, and its local-access requirement makes it less urgent than a remotely exploitable Windows service flaw or a confirmed zero-day. Its low attack complexity, lack of user interaction, and potentially complete system impact nevertheless make the July cumulative update the practical fix, not an optional hardening measure.
The next meaningful change in risk will come if researchers publish technical analysis or proof-of-concept code. Until then, defenders have a favorable window: Microsoft shipped the correction before known exploitation, and affected systems can close the NTFS privilege-escalation path simply by reaching their applicable July 14, 2026 build.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability affects supported Windows client and server releases across multiple generations. Administrators should deploy the July cumulative updates rather than treating this as a narrowly scoped NTFS issue: the affected code is part of the operating system, and Microsoft has not published a separate workaround.
Microsoft’s initial assessment says exploitation has not been detected. CISA’s accompanying SSVC record likewise lists exploitation as “none” and says automated exploitation is not expected, but it classifies the potential technical impact as total.
Local Access Keeps It Out of the Wormable Category
CVE-2026-50422 is not remotely exploitable over the network by itself. Microsoft’s CVSS vector — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — indicates that an attacker must already have local access and low-level privileges on the target machine.That requirement materially changes the immediate risk. An unauthenticated attacker cannot simply direct network traffic at an exposed Windows system and trigger the NTFS defect, and the vulnerability does not require another user to open a file, approve a prompt, or perform any other action.
The absence of user interaction still makes the flaw useful after an initial compromise. Malware operating under a standard account could potentially exploit CVE-2026-50422 to escape the restrictions placed on that account, reaching privileges that enable credential theft, security-control tampering, persistence, or access to protected system data.
This is the familiar role of a local elevation-of-privilege vulnerability in a multi-stage intrusion. A phishing attachment, stolen Remote Desktop credential, vulnerable application, or malicious insider provides the foothold; the NTFS flaw could then provide the step upward.
Microsoft has not released sufficient technical detail to show exactly which NTFS operation triggers the vulnerable read or how reliable exploitation would be. There is also no public proof-of-concept identified in the initial advisories, so claims about a specific exploit sequence should be treated cautiously.
An Out-of-Bounds Read With High Security Impact
Microsoft categorizes the underlying weakness as CWE-125, an out-of-bounds read. This class of memory-safety error occurs when software reads beyond the valid boundary of a buffer, potentially exposing adjacent memory or causing behavior that was not intended by the developer.An out-of-bounds read is sometimes associated primarily with information disclosure or process crashes. In this case, however, Microsoft has explicitly classified the result as elevation of privilege and scored all three impact categories — confidentiality, integrity, and availability — as high.
That distinction matters. The CVSS score is not describing a harmless disclosure of a few bytes from a user-mode application. Microsoft’s assessment indicates that successful exploitation can cross a meaningful security boundary and produce extensive consequences on the compromised system.
The attack complexity is rated low, meaning Microsoft does not believe exploitation depends on specialized conditions outside the attacker’s control. That does not necessarily mean a working exploit is simple to create: turning a kernel-adjacent memory error into dependable privilege escalation can require substantial reverse engineering. It does mean that, once the necessary technique is developed, unusual deployment conditions are not expected to be a major obstacle.
CISA’s “not automatable” assessment offers some reassurance at internet scale, but it should not be read as a reason to postpone patching. That designation reflects the current characteristics of the vulnerability and available knowledge, not a guarantee that attackers cannot package exploitation into malware or post-compromise tooling.
The Affected Windows List Spans Several Generations
Microsoft’s CVE record covers Windows 11, Windows 10, and Windows Server editions. The breadth is unsurprising for an NTFS defect because the file system remains a foundational component shared across Windows product lines.Confirmed affected client releases include:
- Windows 11 version 24H2 is affected before OS build 26100.8875.
- Windows 11 version 25H2 is affected before OS build 26200.8875.
- Windows 11 version 26H1 is affected before OS build 28000.2525.
- Windows 10 version 22H2 is affected before OS build 19045.7548.
- Windows 10 version 21H2 is affected before OS build 19044.7548.
- Windows 10 version 1809 is affected before OS build 17763.9020.
- Windows 10 version 1607 is affected before OS build 14393.9339.
Some of these Windows 10 and Windows Server versions are no longer supported for ordinary consumer or mainstream deployments. Their appearance in the CVE record does not mean every installation automatically receives the update through standard Windows Update. Organizations using Extended Security Updates, Long-Term Servicing Channel releases, or other specialized servicing programs must confirm that the correct July package is available and assigned to each device group.
For Windows 11 version 26H1, the applicable July update is KB5101649, which advances the operating system to build 28000.2525. Windows 10 version 1607 moves to build 14393.9339 through KB5099535, while Windows 10 version 1809 moves to build 17763.9020 through KB5099538.
Administrators should use the OS build as the final verification point rather than relying solely on a management console reporting that a July update was offered. A device can remain below the fixed build because an update failed, was rolled back, is awaiting a restart, or was withheld by a deployment ring.
Patch the Foothold and the Escalation Path Together
CVE-2026-50422 deserves prompt treatment on shared workstations, Remote Desktop Session Hosts, jump servers, developer systems, virtual desktop infrastructure, and machines where users routinely run downloaded or externally supplied code. Those environments give a low-privileged attacker more opportunities to obtain the local execution required by the CVSS vector.The vulnerability is also relevant to servers that appear protected because ordinary users cannot administer them. Least privilege limits an attacker’s starting position, but local escalation flaws are designed specifically to defeat that separation after an account or application has been compromised.
Deployment teams should prioritize the normal July 2026 cumulative security update, verify that the machine reaches the fixed build, and monitor for installation failures or unexpected rollbacks. Endpoint detection policies should continue to flag suspicious behavior by low-privileged processes, particularly attempts to spawn privileged children, alter protected services, access credential material, or disable security tools.
There is currently no evidence that CVE-2026-50422 is under active attack, and its local-access requirement makes it less urgent than a remotely exploitable Windows service flaw or a confirmed zero-day. Its low attack complexity, lack of user interaction, and potentially complete system impact nevertheless make the July cumulative update the practical fix, not an optional hardening measure.
The next meaningful change in risk will come if researchers publish technical analysis or proof-of-concept code. Until then, defenders have a favorable window: Microsoft shipped the correction before known exploitation, and affected systems can close the NTFS privilege-escalation path simply by reaching their applicable July 14, 2026 build.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com