CVE-2026-50461: Patch Windows NTFS RCE With July 14 Updates

Microsoft has patched CVE-2026-50461, a heap-based buffer overflow in Windows NTFS that can lead to remote code execution when a user interacts with malicious content. The flaw carries a CVSS 3.1 score of 7.8 and affects supported Windows 10, Windows 11, and Windows Server releases, including Server Core installations.
Detailed in Microsoft’s July 14, 2026 Security Update Guide, CVE-2026-50461 is rated Important rather than Critical because exploitation is not a direct, unauthenticated network attack. The CVSS characteristics indicate that an attacker needs no existing privileges, but must persuade a user to open or otherwise process attacker-controlled content on the vulnerable computer.
Microsoft has not reported active exploitation or public disclosure. The Zero Day Initiative’s July security review also lists the vulnerability as neither publicly known nor exploited in the wild, placing it below the two actively exploited flaws in this month’s unusually large Microsoft security release.

Cybersecurity illustration of an NTFS vulnerability, malicious files, servers, and a security update in progress.Remote Code Execution Does Not Mean Wormable​

The vulnerability’s title can give the impression that any exposed Windows PC or server is remotely attackable through NTFS. Microsoft’s scoring tells a more constrained story: the attack vector is local and user interaction is required.
In practice, remote code execution describes the attacker’s outcome, not necessarily the delivery path. A malicious file might arrive through email, a browser download, cloud storage, a network share, removable media, or another application before NTFS processes the crafted data locally. Microsoft has not publicly documented the exact file, volume, or operation required to reach the vulnerable code path.
The weakness is classified as CWE-122, a heap-based buffer overflow. This class of memory-safety error occurs when software writes beyond the allocated boundary of a buffer on the heap, potentially corrupting adjacent memory and allowing carefully controlled data to redirect execution.
A successful exploit could consequently run code with the privileges of the process or user that triggers the vulnerable operation. If the targeted user routinely works with administrative rights, the resulting compromise could give an attacker substantially more control than it would under a standard account.
That makes familiar Windows hardening measures relevant even though they do not repair the underlying NTFS defect. Standard-user accounts, application controls, attachment filtering, browser isolation, and blocking unexpected disk-image or archive formats can all reduce exposure while updates move through testing.

NTFS Exposure Spans Client and Server Windows​

CVE-2026-50461 reaches across a broad Windows estate because NTFS remains the default file system for typical Windows installations. Microsoft’s affected-product data includes Windows 10 Version 1607, Version 1809, Version 21H2, and Version 22H2, along with Windows 11 Version 24H2, Version 25H2, and Version 26H1.
The server list extends from Windows Server 2012 and Server 2012 R2 through Windows Server 2016, Server 2019, Server 2022, and Server 2025. Server Core variants are also affected where Microsoft offers them, so removing the desktop experience does not remove this exposure.
Administrators can use Microsoft’s fixed build levels as a direct compliance check. Systems below the following versions remain in an affected range:
  • Windows 10 Version 1607 must reach build 14393.9339 or later.
  • Windows 10 Version 1809 and Windows Server 2019 must reach build 17763.9020 or later.
  • Windows 10 Version 21H2 must reach build 19044.7548 or later.
  • Windows 10 Version 22H2 must reach build 19045.7548 or later.
  • Windows 11 Version 24H2 must reach build 26100.8875 or later.
  • Windows 11 Version 25H2 must reach build 26200.8875 or later.
  • Windows 11 Version 26H1 must reach build 28000.2269 or later.
  • Windows Server 2022 must reach build 20348.5386 or later.
  • Windows Server 2025 must reach build 26100.33158 or later.
For older server platforms, Windows Server 2012 must reach build 9200.26226, while Windows Server 2012 R2 must reach build 9600.23291. Those systems require particular attention because updates may depend on Extended Security Updates or other servicing arrangements rather than ordinary mainstream support.
Among the associated July packages, Microsoft lists KB5099535 for build 14393.9339, KB5099539 for Windows 10 builds 19044.7548 and 19045.7548, KB5099540 for Windows Server 2022 build 20348.5386, and KB5099536 for Windows Server 2025 build 26100.33158. Windows Server 2012 and 2012 R2 receive their fixes through the applicable July Monthly Rollup or security-only servicing channel.
Inventory tools should verify the resulting OS build rather than merely checking whether a July update appears in installation history. Servicing failures, supersedence rules, pending restarts, and machines that have stopped reporting to Windows Server Update Services or Microsoft Intune can all produce false confidence.

A Large NTFS Cluster Raises the Testing Burden​

CVE-2026-50461 is not the only NTFS remote-code-execution flaw in the July release. The Zero Day Initiative counted a cluster of similarly rated NTFS vulnerabilities, including CVE-2026-49797, CVE-2026-50308, CVE-2026-50386, CVE-2026-50313, CVE-2026-50388, CVE-2026-50448, CVE-2026-50471, CVE-2026-50417, CVE-2026-50482, and CVE-2026-50494.
Most score 7.8 and are rated Important. Their presence suggests that July’s cumulative updates contain substantial changes around Windows file-system handling, although the public advisories do not establish that all of the bugs share one root cause or attack technique.
That concentration is a reason to test storage-heavy workloads carefully, not a reason to defer deployment indefinitely. File servers, backup agents, endpoint security products, disk-encryption software, virtual disk tooling, deduplication products, and applications using file-system filter drivers deserve focused validation because they operate close to NTFS.
Administrators should monitor Event Viewer, storage latency, backup completion, filter-driver failures, unexpected disk checks, and application crashes during pilot deployment. A representative test ring should include systems that mount VHD or VHDX files, process large archives, use redirected profiles, host SMB shares, or run third-party data-loss-prevention and antivirus drivers.
Microsoft has not published a standalone workaround for CVE-2026-50461. Disabling NTFS is not a realistic enterprise mitigation, and restricting SMB alone would not cover files delivered through email, browsers, USB devices, collaboration platforms, or locally mounted images.

Patch Priority Depends on How Files Reach the Machine​

CVE-2026-50461 was not one of July’s known zero-days, but its broad platform coverage and no-privileges-required attack path make it a meaningful workstation threat. Systems used to inspect untrusted submissions, download customer files, process email attachments, or handle removable storage should move toward the front of the deployment queue.
File servers require a more nuanced assessment. The vulnerability is not documented as a simple attack against an open SMB port, but servers can still process attacker-influenced content through backup jobs, indexing services, antivirus scanning, file previews, administrative tools, or users opening files from shared storage.
Security teams should also avoid treating Microsoft’s sparse technical disclosure as evidence of low risk. The existence of the heap overflow and affected build ranges is vendor-confirmed, but the absence of a detailed trigger limits defenders’ ability to construct reliable detection rules or validate whether a particular workflow reaches the flawed code.
The durable fix is the July 14 cumulative update or a later superseding Windows update. Until deployment is complete, organizations should reduce administrative desktop use, scrutinize unexpected archives and disk images, and prioritize machines that routinely ingest files from outside the trust boundary.
With no public exploit or observed attacks reported as of July 15, 2026, administrators have a window to test rather than an excuse to wait. The immediate milestone is straightforward: confirm that every supported endpoint and server has reached Microsoft’s fixed build level, then watch for any revised advisory, proof of concept, or post-update NTFS regression that changes the risk calculation.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: tomshardware.com
 

Back
Top