CVE-2026-50672: Install July Updates to Fix Windows NTFS Privilege Escalation

Microsoft has fixed CVE-2026-50672, an Important-rated Windows NTFS vulnerability that could let a locally authenticated attacker elevate privileges and gain broad control of an affected PC or server. The flaw was disclosed on July 14, 2026, as part of Microsoft’s July Patch Tuesday updates and affects supported Windows 10, Windows 11, and Windows Server releases.
Detailed in Microsoft’s Security Update Guide, CVE-2026-50672 carries a CVSS 3.1 base score of 7.0. Microsoft identifies the underlying problems as a use-after-free memory-safety error and a race condition within Windows NTFS.
Administrators should deploy the applicable July cumulative update rather than treating the score as permission to defer. NTFS operates deep inside Windows, and a successful elevation-of-privilege exploit could turn an initial low-privilege foothold into complete compromise of the local system.

Cybersecurity illustration showing a kernel vulnerability, Patch Tuesday update, and protection against hackers.The Attack Starts Locally but Can End at Full Control​

CVE-2026-50672 is not a drive-by vulnerability that an unauthenticated attacker can trigger directly across the internet. Microsoft’s CVSS vector says the attacker needs local access and low-level privileges before attempting exploitation; no user interaction is required once those conditions are met.
The distinction matters, but it does not make the flaw harmless. Attackers commonly arrive on Windows endpoints through phishing, stolen credentials, a malicious document, a vulnerable application, or another remote-code-execution flaw. Local privilege escalation is often the next step, allowing malware running as an ordinary user to break through Windows permission boundaries.
Microsoft assigns high potential impact across confidentiality, integrity, and availability. In practical terms, successful exploitation could let an attacker access protected information, alter system resources, disable security controls, install persistent malware, or disrupt the machine.
The vulnerability’s attack complexity is rated high. That indicates exploitation depends on conditions beyond simply calling a vulnerable NTFS function, which is consistent with Microsoft’s classification of the weakness as both a race condition and use-after-free issue. An attacker may have to manipulate timing and memory state reliably enough to reach the vulnerable path before Windows changes or releases the underlying object.
High attack complexity can reduce exploit reliability, especially across different builds, processors, and security configurations. It should not be confused with limited post-exploitation impact: Microsoft’s vector still assigns high impact in all three core security categories if the attack succeeds.

A Use-After-Free Bug Reaches Into the File System​

NTFS is the default file system for most Windows installations and handles far more than ordinary file reads and writes. Its responsibilities include permissions, metadata, reparse points, alternate data streams, journaling, compression, encryption integration, quotas, and interactions with kernel-mode file-system filters.
A use-after-free condition occurs when software continues using an object after its associated memory has been released. If an attacker can influence what occupies that memory afterward, the stale reference may expose data, corrupt memory, crash the system, or redirect execution.
Microsoft also maps CVE-2026-50672 to improper synchronization around a shared resource. That race-condition classification suggests two or more operations can interact in an unsafe sequence, creating a window in which NTFS handles an object whose state or lifetime has changed unexpectedly.
Microsoft has not published the detailed function, NTFS operation, proof of concept, or exploitation procedure involved. That restraint limits immediate guidance for threat hunters, but it also avoids giving attackers a ready-made roadmap while organizations are still applying the update.
The advisory’s “confirmed” report-confidence value should be read narrowly. It means Microsoft has confirmed the vulnerability and considers the available technical evidence credible; it does not mean exploitation has been observed in the wild.
SANS Internet Storm Center’s July Patch Tuesday listing marks CVE-2026-50672 as neither publicly disclosed nor exploited at release. CISA’s vulnerability decision data likewise recorded no known exploitation and characterized exploitation as non-automatable, while assigning the flaw total technical impact. Those conditions could change as researchers compare patched and unpatched NTFS binaries.

The Affected Build List Spans Clients and Servers​

The CVE record supplied by Microsoft identifies affected installations across several Windows generations. The fixed build thresholds provide administrators with a direct way to validate whether cumulative updates have landed successfully.
  • Windows 10 Version 1809 and Windows Server 2019 require build 17763.9020 or later.
  • Windows 10 Version 21H2 requires build 19044.7548 or later.
  • Windows 10 Version 22H2 requires build 19045.7548 or later.
  • Windows Server 2022 requires build 20348.5386 or later.
  • Windows 11 Version 24H2 requires build 26100.8875 or later.
  • Windows 11 Version 25H2 requires build 26200.8875 or later.
  • Windows 11 Version 26H1 requires build 28000.2525 or later.
  • Windows Server 2025 requires build 26100.33158 or later, including Server Core installations.
The presence of Windows 10 Version 21H2, Version 22H2, and Version 1809 in the affected-product data does not mean every consumer installation of those releases remains eligible for ordinary servicing. Coverage depends on edition, servicing channel, LTSC status, and participation in Microsoft’s Extended Security Updates program.
Windows 11 Version 24H2 and Version 25H2 receive the July fixes through KB5101650. Windows 11 Version 26H1 reaches OS Build 28000.2525 through KB5101649. Because these are cumulative updates, they address CVE-2026-50672 alongside a much larger collection of Windows security and reliability fixes.
The July release is unusually large. As reported by BleepingComputer, Microsoft addressed approximately 570 vulnerabilities across its products during the July 2026 Patch Tuesday cycle, including hundreds of elevation-of-privilege issues. That volume increases the importance of validating the cumulative update itself rather than attempting to track CVE-2026-50672 as an isolated package.

Build Verification Matters More Than a Successful Scan​

Endpoint-management consoles can report an update as installed even when a device is awaiting a restart, has rolled back during servicing, or has not checked in with current inventory. For this vulnerability, administrators should verify the resulting OS build against Microsoft’s fixed-build thresholds.
On an individual machine, winver provides a quick build check. PowerShell, Windows Admin Center, Microsoft Intune, Configuration Manager, Azure Arc, and vulnerability-management platforms can perform the same validation across larger fleets.
Security teams should give particular attention to multi-user systems, Remote Desktop Session Hosts, developer workstations, administrative jump boxes, and servers where untrusted or partially trusted code can execute. The need for an authenticated local position makes those systems more attractive than a tightly controlled single-user endpoint.
Server Core is not an escape hatch. Microsoft explicitly lists Server Core installations of Windows Server 2019 and Windows Server 2025 among the affected products, reinforcing that the vulnerability resides below the graphical Windows shell.
There is no published configuration workaround that provides the same protection as installing the security update. Disabling NTFS is not a practical mitigation for a normal Windows system, and restricting removable storage would address only one possible route to file-system interaction—not the vulnerable component itself.
Defensive controls still matter while updates move through testing. Application control, least-privilege account policies, reduced interactive logon rights, credential protection, and endpoint detection can make it harder for an attacker to obtain the local foothold needed to reach CVE-2026-50672. None removes the underlying NTFS flaw.
The immediate task is therefore straightforward: deploy the July 14 cumulative update, restart where required, and confirm that every managed device has crossed its fixed-build threshold. The next risk milestone will be the appearance of public technical analysis or exploit code, at which point an Important-rated local NTFS bug could become considerably easier to incorporate into real-world attack chains.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top