CVE-2026-50441 ReFS Privilege Escalation Fixed in July Windows Updates

CVE-2026-50441, a newly patched elevation-of-privilege vulnerability in the Windows Resilient File System, can allow a locally authenticated attacker to gain higher permissions through an untrusted pointer dereference. Microsoft addressed the flaw in its July 14, 2026 security updates across supported Windows client and server releases, including Windows 11 24H2 and 25H2, Windows Server 2022, and Windows Server 2025.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability carries a CVSS 3.1 score of 7.8 High. It requires local access and low privileges, but no user interaction, making it relevant to administrators managing shared servers, virtual desktop infrastructure, developer workstations, and other systems where an attacker may already possess a standard account.
Microsoft describes the underlying weakness as an untrusted pointer dereference in ReFS. Successful exploitation could result in a complete loss of confidentiality, integrity, and availability at the affected security boundary, according to Microsoft’s CVSS assessment.

Cybersecurity dashboard shows a ReFS storage system threatened by privilege escalation and a breached filesystem boundary.A Local Foothold Could Become a Full Compromise​

CVE-2026-50441 is not a remote-entry vulnerability. The CVSS vector lists the attack vector as local, with low attack complexity and low privileges required. An attacker must first be authorized to execute code or otherwise operate on the targeted Windows system.
That prerequisite lowers the immediate risk compared with an unauthenticated network vulnerability, but it does not make the bug harmless. Elevation-of-privilege flaws are frequently used as the second stage of an intrusion: an attacker enters through stolen credentials, a malicious document, an exposed application, or another vulnerability, then exploits a local Windows weakness to escape the restrictions of the compromised account.
No separate user needs to open a file or approve an action for the ReFS flaw to be exploited. Microsoft’s scoring also indicates that a successful attack could have high impact across confidentiality, integrity, and availability, the combination typically associated with an attacker reaching a highly privileged context.
The weakness is classified as CWE-822, Untrusted Pointer Dereference. This category covers cases where software uses a pointer whose value cannot be trusted, potentially causing memory access in an unintended location. Microsoft has not publicly provided exploit code, a proof of concept, or the precise ReFS operation required to reach the vulnerable path.
That missing technical detail matters. Defenders currently have enough information to identify vulnerable Windows versions and deploy Microsoft’s fixes, but not enough to build reliable behavior-based detections specifically for CVE-2026-50441.

ReFS Broadens the Server-Side Significance​

ReFS is Microsoft’s storage file system designed around resilience, large data sets, and protection against certain forms of corruption. It appears in Windows Server storage deployments and is also used in scenarios involving Storage Spaces, virtualization, development workloads, and supported Windows client configurations.
The vulnerability record covers a wide span of Windows generations:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are listed as affected where those releases remain serviced through the applicable support channel.
  • Windows 11 versions 24H2, 25H2, and 26H1 are listed as affected.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
  • Server Core installations of Windows Server 2016, 2019, and 2025 are explicitly included.
The presence of ReFS volumes should raise the operational priority, but administrators should not assume that systems without an obvious ReFS data drive can safely skip the update. Microsoft distributes the correction through cumulative Windows updates, and the affected-product list is based on vulnerable operating-system builds rather than an administrator’s current storage layout.
That distinction is particularly important for standard enterprise images. A system may not use ReFS today but could later attach, mount, create, or process an ReFS-backed volume as its role changes. Leaving the vulnerable file-system code in place creates avoidable exposure and complicates future provisioning.

July’s Cumulative Updates Establish the Fixed Baseline​

For Windows 11 24H2 and 25H2, the relevant July cumulative update is KB5101650. Installation moves Windows 11 24H2 to OS build 26100.8875 and Windows 11 25H2 to build 26200.8875.
Microsoft’s affected-version data identifies earlier builds in those branches as vulnerable. The practical verification point is therefore straightforward: managed Windows 11 24H2 devices should report build 26100.8875 or later, while 25H2 systems should report build 26200.8875 or later.
The server baselines differ by release. Windows Server 2022 receives KB5099540 and advances to build 20348.5386, while Windows Server 2025 receives KB5099536 and advances to build 26100.33158. Windows Server 2016 and 2019 are corrected by their corresponding July cumulative updates, reaching builds 14393.9339 and 17763.9020 respectively.
Windows 10 versions 21H2 and 22H2 move to builds 19044.7548 and 19045.7548 through the July servicing release. Organizations still operating these versions should verify that the devices are covered by a valid servicing channel rather than treating the appearance of a build number as proof that an edition remains generally supported.
Administrators can validate deployment using winver, PowerShell inventory, Microsoft Intune, Configuration Manager, Windows Server Update Services, or another endpoint-management platform. Scanners should be configured to evaluate the installed build and revision, not merely detect that a July update appears in update history.
Microsoft says it is not currently aware of issues with KB5101650 on Windows 11. Windows Server 2022’s KB5099540 has a documented BitLocker interaction on a limited set of systems using an unrecommended Group Policy configuration that explicitly includes PCR7 when PCR7 binding is reported as unavailable. Enterprises using custom BitLocker platform-validation profiles should review that known issue before broad deployment, while still treating the ReFS correction as a security priority.

“Confirmed” Does Not Mean Exploited​

The vulnerability’s report-confidence rating is Confirmed. In CVSS terminology, that means the vulnerability’s existence and technical basis have been confirmed by the vendor or supported by sufficiently reliable evidence.
It does not mean attacks have been observed in the wild. CISA’s initial decision record lists exploitation as none, and the available public records do not identify CVE-2026-50441 as actively exploited or publicly disclosed before Microsoft released the fix.
The confirmed rating nevertheless removes uncertainty over whether the flaw is real. Microsoft has acknowledged the vulnerable behavior, assigned it a high-severity score, and shipped an official correction. The remaining uncertainty concerns exploit construction and attacker interest, not the existence of the defect.
That makes delaying solely because no public exploit has appeared a weak risk decision. Once researchers compare patched and unpatched ReFS components, additional technical details may emerge through patch diffing. Local privilege-escalation bugs can become significantly more useful when combined with phishing, browser compromise, exposed services, or credential theft.
For enterprise IT, the immediate action is to deploy the July 14 cumulative updates through the normal accelerated security ring, verify the resulting OS builds, and give extra attention to multi-user systems and servers that process ReFS storage. CVE-2026-50441 does not provide an attacker with the first foothold, but on an unpatched Windows machine it may turn a limited account into control of the system.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: tomshardware.com
 

Back
Top