CVE-2026-50428: Install KB5101649 to Fix Windows 11 26H1 Leak

CVE-2026-50428 exposes information through an out-of-bounds read in the Windows Container Isolation FS Filter Driver, unionfs.sys, on Windows 11 version 26H1. Microsoft rates the flaw Important with a CVSS 3.1 base score of 7.1, but exploitation requires an authenticated attacker with local access and low-level privileges.
Microsoft disclosed the vulnerability through the Microsoft Security Response Center on July 14, 2026. The National Vulnerability Database describes the issue as CWE-125, an out-of-bounds read that can allow an authorized local attacker to obtain information the driver should not disclose.
The practical response is straightforward: Windows 11 26H1 devices should be running OS build 28000.2269 or later. Microsoft’s affected-version data identifies builds earlier than 28000.2269 as vulnerable, while the July cumulative update, KB5101649, moves systems to build 28000.2525.

Windows 11 security infographic highlights a unionfs.sys memory flaw and secure patch build 28000.2525.The Vulnerable Surface Is Narrow but Sensitive​

unionfs.sys is part of the Windows Container Isolation file-system infrastructure. A union file system presents content from multiple storage layers as one logical file-system view, an approach commonly associated with container images and their writable layers.
Because this processing occurs in a Windows file-system filter driver, a bounds-checking mistake can cross an important isolation boundary. In this case, Microsoft says the defect is an out-of-bounds read: the driver may read data beyond the memory region that the operation was supposed to access.
That does not automatically give an attacker permission to modify files or execute arbitrary kernel code. It can, however, reveal memory contents that should remain inaccessible, potentially exposing data useful for reconnaissance or for weakening another security control.
Microsoft’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. In practical terms, the published assessment says the attack:
  • Must be initiated locally rather than across the network.
  • Requires low privileges on the affected system.
  • Has low attack complexity.
  • Does not require another user to click or open anything.
  • Does not directly produce an integrity impact under Microsoft’s scoring.
The reported high confidentiality impact is the central concern. The CVSS vector also assigns a high availability impact, although the public description and vulnerability title focus on information disclosure rather than a separately documented denial-of-service condition.

Windows 11 26H1 Is the Only Listed Target​

The CVE record currently identifies Windows 11 version 26H1 on x64 and Arm64 systems as affected. It does not list Windows 11 24H2, Windows 11 25H2, or supported Windows Server releases.
That distinction matters because 26H1 is not the normal annual feature update for the existing Windows PC population. Microsoft describes Windows 11 26H1 as a release intended for new hardware platforms introduced during 2026, rather than an in-place upgrade offered to PCs running 24H2 or 25H2.
As a result, many administrators will not find any 26H1 devices in their estates. Organizations evaluating or deploying newly released hardware should not assume that their standard Windows 11 24H2 and 25H2 compliance reports cover these machines, however. Build 28000 systems need to be identified and checked separately.
Administrators can confirm the installed version by running winver, checking Settings > System > About, or querying device inventory through Microsoft Intune, Configuration Manager, Windows Update for Business reporting, or another endpoint-management platform. The relevant minimum is OS build 28000.2269.
Microsoft released build 28000.2269 as KB5095051 on June 9, 2026. That version boundary indicates that systems which successfully installed the June cumulative update already contain the correction, despite CVE-2026-50428 being publicly documented during the July security release.
The July 14 update, KB5101649, supersedes that package and advances Windows 11 26H1 to build 28000.2525. Because Windows cumulative updates include previous fixes, installing KB5101649 also remediates systems that missed the June release.

The Risk Depends on What an Attacker Already Controls​

CVE-2026-50428 is not a drive-by compromise and cannot be triggered directly from an unauthenticated network connection according to Microsoft’s published vector. An attacker first needs the ability to run code or otherwise perform an authorized local action on the affected Windows device.
That prerequisite lowers the urgency compared with a remotely exploitable vulnerability in a network-facing service. It does not make the issue irrelevant, particularly on shared workstations, development systems, container hosts, build machines, or endpoints where lower-trust users and workloads coexist.
Information-disclosure flaws are often valuable as parts of exploit chains. Memory exposure can potentially reveal addresses, fragments of sensitive data, or implementation details that make another vulnerability easier to exploit. Microsoft has not published technical evidence that CVE-2026-50428 can expose any particular credential, key, container secret, or kernel address, so those possibilities should not be presented as confirmed outcomes.
The known evidence currently supports a more restrained conclusion: a locally authenticated attacker can cause unionfs.sys to read outside an intended boundary, and Microsoft considers the resulting confidentiality and availability effects significant enough for a 7.1 score.
The Zero Day Initiative’s July 2026 security update review lists the vulnerability as Important and records no known exploitation or public disclosure at release. CISA’s initial SSVC data likewise reports no active exploitation and classifies automated exploitation as unlikely.
There is consequently no public indication that defenders are racing against an established attack campaign. The priority should still increase in environments where untrusted users can sign in locally, developers execute unreviewed container workloads, or exposed systems form part of a privileged build and deployment pipeline.

Patch Compliance Is the Primary Control​

Microsoft has not documented a workaround or configuration-based mitigation specific to CVE-2026-50428. The durable remediation is to install the applicable cumulative update and verify that the operating-system build has advanced beyond the affected range.
For most organizations, the useful checks are limited and concrete:
  • Inventory Windows 11 version 26H1 devices, including new Arm64 and x64 hardware that may sit outside established deployment rings.
  • Confirm that each device is running build 28000.2269 or later.
  • Prefer KB5101649 and build 28000.2525 where July updates have been approved for production.
  • Investigate devices that report successful update installation but continue to expose an older build number.
  • Apply normal least-privilege controls because exploitation requires an authenticated local foothold.
There is little justification for disabling Windows container features preemptively without evidence that patch deployment is impossible. The vulnerability record does not provide a tested workaround, and disabling container-related components can disrupt development, testing, security tooling, or application delivery while offering uncertain protection.
Security teams should also avoid treating the CVSS score as evidence of remote compromise. A score of 7.1 communicates the vendor’s assessment of overall technical impact, but the local attack vector and low-privilege prerequisite remain essential when setting deployment priority.

Sparse Technical Detail Leaves Exploitability Unsettled​

The public record confirms the vulnerable component, weakness class, attack locality, privilege requirement, affected builds, and corrected build threshold. Microsoft has not released a proof of concept, a detailed description of the malformed operation, or an explanation of exactly what memory can be exposed.
The National Vulnerability Database was still awaiting its own enrichment shortly after publication, relying primarily on Microsoft’s CVE data. That gives defenders high confidence that the vulnerability exists and has been corrected, but much less visibility into how reliably it can be triggered or combined with other bugs.
For administrators, that uncertainty does not change the remediation. Windows 11 26H1 systems below build 28000.2269 remain the actionable population, and KB5101649 provides the current cumulative route to build 28000.2525. The next meaningful development will be either deeper technical research into unionfs.sys or evidence of exploitation; until then, verified build compliance is the clearest measure of exposure.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top