CVE-2026-50492 ReFS RCE: Install July 2026 Windows Updates

Microsoft’s July 14, 2026 security updates fix CVE-2026-50492, a heap-based buffer overflow in the Windows Resilient File System that can let an unauthenticated attacker execute code after gaining physical access to a vulnerable machine. Despite Microsoft naming it a “Remote Code Execution Vulnerability,” the published CVSS vector identifies a physical attack path rather than exploitation over a network.
The Microsoft Security Response Center rates the ReFS flaw Important, with a CVSS 3.1 base score of 6.8. Microsoft’s advisory and the corresponding National Vulnerability Database record describe the vulnerability as confirmed, while current assessments show no public disclosure or known exploitation in the wild.
For administrators, the action is straightforward: install the July 2026 cumulative security update and verify that each system has reached the corrected build for its Windows release. The vulnerability spans supported Windows 11 and Windows Server versions as well as several Windows 10 releases still receiving security servicing.

IT security team monitors corrupted storage and system vulnerabilities in a server room.“Remote” Does Not Mean Network-Exploitable Here​

The most important detail is buried in the scoring data. CVE-2026-50492 carries the vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, where AV:P means the attack vector is physical.
This is not the classic remote-code-execution scenario in which an attacker sends a malicious packet to an exposed Windows service. Microsoft says an attacker needs physical access, requires no existing privileges and does not need a logged-in user to take a separate action.
The likely risk model is therefore a crafted storage device or other attacker-controlled media presented to a vulnerable Windows system, although Microsoft has not published enough technical detail to establish the exact delivery mechanism. Because the flaw resides in ReFS processing, Windows may encounter the malicious data when it accesses or attempts to mount an affected ReFS volume.
That distinction materially changes prioritization. CVE-2026-50492 is not an Internet worm candidate based on the currently published vector, but it remains relevant to workstations and servers where removable drives, externally supplied disks, recovered storage, virtual disks or transferred disk images enter the environment.
The impact metrics are all rated High. Successful exploitation could compromise confidentiality, integrity and availability within the affected security authority, meaning code execution could expose data, alter system state or make resources unavailable.

A Buffer Overflow at the Filesystem Boundary​

Microsoft classifies CVE-2026-50492 as CWE-122, a heap-based buffer overflow. This class of vulnerability occurs when software writes more data into a heap allocation than the allocation can safely hold, potentially corrupting adjacent memory.
In a filesystem driver, that is a particularly sensitive boundary. Filesystem code must parse structures that can originate on storage media, and it operates close to the Windows kernel and the data that applications depend on. A malformed structure that merely crashes a parser is disruptive; one that gives an attacker enough control over memory corruption can become a route to arbitrary code execution.
Microsoft has not disclosed the specific ReFS structure, parsing operation or Windows component involved. There is also no public proof of concept identified in the initial advisory, limiting defenders’ ability to create reliable content-based detections for malicious media.
The report-confidence metric is nevertheless marked Confirmed. In CVSS terms, that means the vulnerability’s existence has been validated through detailed reporting, functional reproduction, available source evidence or vendor acknowledgement. It does not mean Microsoft has published exploitation instructions, and it should not be interpreted as evidence that attackers are already using the flaw.
Microsoft’s temporal assessment places exploit-code maturity at Unproven and remediation at Official Fix. The resulting temporal score is 5.9, below the 6.8 base score but not low enough to justify ignoring affected systems.

The Patch Reaches Deep Into the Supported Windows Estate​

The affected-product record covers Windows 11 24H2, Windows 11 25H2 and Windows 11 26H1 on x64 and Arm64 hardware. Windows Server 2016, Server 2019, Server 2022 and Server 2025 are also included, with Server Core installations explicitly listed where applicable.
Microsoft additionally identifies Windows 10 versions 1607, 1809, 21H2 and 22H2. Those entries include editions or deployments still eligible for servicing through Long-Term Servicing Channel arrangements, Extended Security Updates or other applicable support programs; the presence of a version in the CVE record does not restore support to ordinary consumer installations that have already reached end of service.
The corrected build thresholds published with the CVE provide a useful compliance check:
  • Windows 11 24H2 is corrected at build 26100.8875, delivered through KB5101650.
  • Windows 11 25H2 is corrected at build 26200.8875, also delivered through KB5101650.
  • Windows 11 26H1 is corrected at build 28000.2525 through KB5101649.
  • Windows Server 2022 is corrected at build 20348.5386 through KB5099540.
  • Windows Server 2025 is corrected at build 26100.33158 through KB5099536.
  • Windows Server 2019 and Windows 10 version 1809 must reach build 17763.9020.
  • Windows Server 2016 and Windows 10 version 1607 must reach build 14393.9339.
  • Windows 10 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548 respectively.
These are cumulative updates, so organizations do not need to deploy a separate ReFS package. Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Intune and other normal patch-management channels can deliver the relevant July update.
Administrators should verify the resulting OS build instead of assuming that an update deployment assignment completed successfully. That matters especially for servers held behind maintenance windows, disconnected recovery systems and devices subject to safeguard holds or failed restarts.

Physical Controls Still Matter After Patch Tuesday​

Because the documented attack vector requires physical access, environments with tightly controlled server rooms and removable-media policies have a meaningful defensive advantage. Those controls reduce exposure, but they are not substitutes for patching.
Physical access is broader than an intruder standing in front of a running server. It can include a contractor connecting supplied storage, an administrator attaching a recovered disk, a technician using diagnostic media or a virtual machine operator mounting an untrusted disk image. Laboratories, repair facilities, digital-forensics teams and organizations that routinely ingest third-party drives should give the update particular attention.
Where immediate deployment is impossible, administrators can reduce risk by preventing untrusted storage from reaching affected hosts and by performing initial inspection on isolated, fully patched systems. Disabling ReFS without understanding workload dependencies is not a sensible blanket response, particularly on Windows Server deployments using ReFS for Storage Spaces, virtualization or backup repositories.
There are no published indicators of compromise for CVE-2026-50492, and the initial assessments cited by SANS Internet Storm Center show neither public disclosure nor active exploitation. Detection efforts should therefore concentrate on operational signals such as unexpected crashes during storage attachment, unusual device-mount events and unexplained kernel failures, while recognizing that these symptoms are not specific enough to prove exploitation.
The practical priority is balanced rather than alarmist: this is a confirmed code-execution vulnerability with severe potential impact, but its physical attack requirement sharply limits mass exploitation. Windows fleets that installed the July 14 cumulative updates and reached the documented fixed builds are protected; systems that handle untrusted disks or remain outside normal patch orchestration are the ones that now deserve a direct inventory check.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: thewincentral.com
 

Back
Top