CVE-2026-50501 ReFS RCE: Install July Updates for Windows 11 and Server 2025

Microsoft has patched CVE-2026-50501, a high-severity Windows Resilient File System vulnerability that can allow an unauthenticated attacker to execute code after a user interacts with attacker-controlled content. The flaw affects Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025 and its Server Core installation option.
Detailed in Microsoft’s July 14, 2026 security release, CVE-2026-50501 carries a CVSS 3.1 score of 7.8 and an “Important” severity rating. Microsoft describes the underlying weakness as a stack-based buffer overflow in ReFS, tracked under CWE-121.
The immediate action is straightforward: deploy the July cumulative updates and confirm that affected systems have reached the fixed build numbers. Microsoft has not identified active exploitation or public disclosure, but successful exploitation could compromise confidentiality, integrity, and availability on the targeted machine.

Cybersecurity server room showing Windows virtualization, ReFS storage, a vulnerable stack buffer, and backup protection.The RCE Label Needs Some Translation​

Microsoft’s advisory title calls CVE-2026-50501 a “Remote Code Execution Vulnerability,” while the CVE description says it allows an attacker to execute code locally. Those statements are not necessarily contradictory, but administrators should not read the title as evidence of a wormable, network-facing ReFS service.
The Microsoft-supplied CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, the attack vector is local, exploitation complexity is low, no existing privileges are required, and user interaction is necessary. The vulnerability is therefore not described as something an anonymous internet attacker can trigger simply by sending packets to an exposed Windows Server.
“Remote code execution” is the impact category: an attacker could deliver malicious content from elsewhere and ultimately execute code on the victim’s computer. The available public record does not yet specify the exact delivery mechanism or the interaction needed to reach the vulnerable ReFS code path, so assumptions about crafted disk images, virtual disks, removable media, or particular file operations remain unconfirmed.
That distinction matters for incident prioritization. CVE-2026-50501 does not carry the same immediate exposure profile as an unauthenticated RCE in Remote Desktop Services, SMB, or a public-facing web server. It nevertheless combines low attack complexity with no privilege requirement and potentially complete system impact once its prerequisites are met.
CISA’s initial Stakeholder-Specific Vulnerability Categorization records no known exploitation and assesses the vulnerability as not readily automatable. It rates the potential technical impact as total, reflecting the possibility of code execution rather than establishing that exploitation is currently occurring.

July’s Builds Close the ReFS Overflow​

The affected-version information published through the CVE record establishes clear minimum fixed builds:
  • Windows 11 version 24H2 must be updated to build 26100.8875 or later.
  • Windows 11 version 25H2 must be updated to build 26200.8875 or later.
  • Windows 11 version 26H1 must be updated to build 28000.2525 or later.
  • Windows Server 2025 must be updated to build 26100.33158 or later.
  • Windows Server 2025 Server Core must be updated to build 26100.33158 or later.
For Windows 11 versions 24H2 and 25H2, the relevant July cumulative package is KB5101650, which raises the systems to builds 26100.8875 and 26200.8875 respectively. Microsoft distributes it through Windows Update, Windows Update for Business, Windows Server Update Services, and the Microsoft Update Catalog.
Windows 11 version 26H1 receives KB5101649, bringing supported machines to build 28000.2525. Version 26H1 is the hardware-specific Windows release Microsoft introduced for select new devices rather than an in-place feature update for existing 24H2 or 25H2 PCs.
Windows Server 2025 receives KB5099536, which advances both Desktop Experience and Server Core installations to build 26100.33158. The cumulative nature of these packages means organizations do not need a separate CVE-specific installer once the corresponding July update is applied successfully.
Administrators can run winver for a quick interactive check or use their normal PowerShell, Configuration Manager, Intune, Azure Update Manager, WSUS, or vulnerability-management inventory to verify builds at scale. Checking that an update was merely offered or downloaded is insufficient; the installed OS build must meet or exceed Microsoft’s fixed version.

ReFS Makes Server Exposure the Operational Priority​

ReFS is Microsoft’s modern file system for workloads that emphasize data integrity, scalability, virtualization, and resilience against corruption. It is especially relevant to Windows Server deployments, Storage Spaces, large data volumes, and virtualization infrastructure, even though ReFS support also exists in current Windows 11 releases and specialized workstation configurations.
That makes Windows Server 2025 the most obvious operational priority. Storage and virtualization hosts tend to hold valuable data, operate with broad access to infrastructure, and have stricter maintenance constraints than ordinary endpoints. A code-execution flaw in their file-system handling deserves prompt testing rather than being deferred solely because Microsoft has not observed exploitation.
Server Core is explicitly listed as affected. Organizations cannot assume that removing the graphical shell eliminates exposure, because the vulnerable component belongs to the operating system’s file-system implementation rather than a desktop application.
CVE-2026-50501 is also not the only ReFS issue in the July 2026 release. The Zero Day Initiative’s Patch Tuesday review lists a cluster of ReFS remote-code-execution and elevation-of-privilege vulnerabilities, many with scores around 7.8. That concentration increases the value of deploying the complete cumulative update instead of trying to reason about one CVE in isolation.
For endpoint teams, Windows 11 24H2 and 25H2 remain in scope regardless of whether users knowingly format drives as ReFS. Security servicing decisions should follow Microsoft’s affected-product list, not an assumption that the vulnerable code is harmless unless the system’s primary volume uses ReFS.

Patch First, Investigate the Delivery Path Second​

Microsoft has not published a workaround in the available vulnerability record, nor has it documented a configuration switch that fully neutralizes CVE-2026-50501. Disabling normal storage workflows or attempting to remove ReFS functionality without vendor guidance could create more availability risk than it removes.
A proportionate deployment plan should prioritize Windows Server 2025 storage and Hyper-V systems, followed by administrative workstations and Windows 11 devices that routinely handle untrusted files, removable media, downloaded virtual disks, or customer-supplied data. Standard attachment controls, application isolation, least privilege, and restrictions on mounting untrusted storage content remain useful defenses, but they do not replace the security update.
Organizations with tightly controlled server change windows should test KB5099536 against storage, backup, clustering, deduplication, virtualization, and disaster-recovery workflows. Microsoft’s update notes currently list an existing WSUS reporting limitation but do not identify a CVE-2026-50501-specific compatibility problem.
The vulnerability’s public evidence remains relatively limited one day after disclosure: Microsoft has confirmed the stack-based overflow, assigned the CVSS vector, identified the affected builds, and issued patches, but has not released exploit mechanics. That uncertainty is a reason to avoid speculative detection rules—not a reason to postpone remediation.
The defensible end state is concrete: Windows 11 24H2 on build 26100.8875, Windows 11 25H2 on 26200.8875, Windows 11 26H1 on 28000.2525, and Windows Server 2025 on 26100.33158 or newer. Until those builds are installed, affected systems retain a low-complexity ReFS memory-corruption flaw with potential for full code execution.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: thewincentral.com
 

Back
Top