Microsoft has patched CVE-2026-54109, an integer-overflow vulnerability in the Windows Resilient File System that can lead to code execution on affected Windows clients and servers. Despite Microsoft’s “Remote Code Execution” title, the company’s technical description says an authorized attacker executes code locally, making this a storage-input threat rather than a remotely reachable network service flaw.
The vulnerability was disclosed in Microsoft’s July 14, 2026 security updates and carries an Important rating with a CVSS 3.1 score of 7.8. Microsoft had not identified public disclosure or active exploitation at release time, according to the Microsoft Security Response Center entry and the July update review published by Trend Micro’s Zero Day Initiative.
Administrators should install the July 2026 cumulative updates, particularly on systems that mount or process ReFS volumes supplied by users, customers, backup workflows, virtual machines, or removable storage.
CVE-2026-54109 is classified as an integer overflow or wraparound in ReFS. The published weakness mappings include CWE-190 for integer overflow and CWE-122 for a heap-based buffer overflow, indicating that an unsafe arithmetic result can lead to memory corruption while Windows processes ReFS data structures.
That distinction matters because the filesystem driver operates in a highly privileged part of Windows. A malformed filesystem does not need to arrive as a conventional executable to become dangerous; the vulnerable code can be reached when Windows interprets attacker-controlled storage metadata.
Microsoft’s concise description says the flaw allows an authorized attacker to execute code locally. The 7.8 CVSS score is also consistent with an attack that has serious confidentiality, integrity, and availability consequences once triggered, but is not directly exploitable across the network without an intermediate delivery and processing step.
In practical terms, administrators should treat untrusted ReFS media and disk images as executable-risk content until the receiving system is patched. Potential delivery paths include physical disks, virtual hard disks, storage passed through to virtual machines, forensic images, backup media, and other workflows capable of presenting a ReFS filesystem to Windows.
Microsoft has not publicly documented a complete exploit sequence or identified the precise ReFS structure that triggers the overflow. There was also no public proof of concept associated with CVE-2026-54109 at disclosure, so claims that a particular file, VHDX operation, or automatic-mount behavior is sufficient would currently go beyond the available evidence.
The published description places the attacker locally and calls the attacker authorized. There is no indication that an unauthenticated adversary can simply send packets to a ReFS-enabled server and execute code, nor has Microsoft described the vulnerability as wormable.
The remote element is more plausibly the delivery of malicious storage content from somewhere outside the target machine. An attacker might persuade a user or administrator to attach, import, restore, or otherwise expose Windows to a crafted ReFS volume. That still produces remote code execution as the final security impact, but it carries different defensive implications from an open network port.
This makes patch priority contextual rather than negligible. A locked-down workstation that never handles external disk images has less exposure than a Hyper-V host, backup server, storage lab, malware-analysis environment, or support system that routinely receives disks and virtual drives from outside its trust boundary.
ReFS is also more common in server and storage-heavy deployments than on ordinary consumer PCs. Microsoft designed it for data integrity, large volumes, virtualization scenarios, and resilient storage, meaning the machines most likely to encounter it may also hold valuable data or run infrastructure workloads.
The fixed build thresholds published with the CVE include:
The broad product list also means administrators should not assume a machine is unaffected merely because its primary volumes use NTFS. The vulnerable ReFS implementation is part of Windows, and exposure can arise when the system encounters ReFS-formatted storage rather than only when the boot or data drive is formatted with it.
That concentration suggests Microsoft corrected a wider set of unsafe conditions in ReFS parsing and memory handling, although the individual CVEs should not automatically be assumed to share one root cause. CVE-2026-54109 is specifically associated with integer overflow and heap-buffer-overflow behavior.
The July release itself was unusually large. BleepingComputer counted 570 Microsoft vulnerabilities addressed that month, including 145 remote-code-execution issues and three zero-days across the wider product portfolio. That volume creates a prioritization problem, but the ReFS group deserves attention on storage infrastructure precisely because several related attack surfaces were corrected at once.
Security teams should avoid treating “exploitation less likely” or the absence of known attacks as a reason to defer indefinitely. Filesystem vulnerabilities can become valuable after researchers compare pre- and post-patch binaries, identify the corrected arithmetic, and construct malicious volume metadata.
Until deployment is complete, sensible temporary controls include restricting who can attach virtual disks, limiting removable-storage access, scanning the origin of backup and forensic media, and avoiding the mounting of untrusted ReFS volumes on production systems. Those measures reduce exposure but do not replace the update.
The immediate milestone is therefore concrete: bring affected machines to the July 2026 build levels and verify them. The unresolved question is how quickly enough technical detail will emerge to turn this confirmed ReFS memory-corruption bug into a practical exploit—an interval defenders should use for patching, not observation.
The vulnerability was disclosed in Microsoft’s July 14, 2026 security updates and carries an Important rating with a CVSS 3.1 score of 7.8. Microsoft had not identified public disclosure or active exploitation at release time, according to the Microsoft Security Response Center entry and the July update review published by Trend Micro’s Zero Day Initiative.
Administrators should install the July 2026 cumulative updates, particularly on systems that mount or process ReFS volumes supplied by users, customers, backup workflows, virtual machines, or removable storage.
An Integer Overflow Reaches the ReFS Parser
CVE-2026-54109 is classified as an integer overflow or wraparound in ReFS. The published weakness mappings include CWE-190 for integer overflow and CWE-122 for a heap-based buffer overflow, indicating that an unsafe arithmetic result can lead to memory corruption while Windows processes ReFS data structures.That distinction matters because the filesystem driver operates in a highly privileged part of Windows. A malformed filesystem does not need to arrive as a conventional executable to become dangerous; the vulnerable code can be reached when Windows interprets attacker-controlled storage metadata.
Microsoft’s concise description says the flaw allows an authorized attacker to execute code locally. The 7.8 CVSS score is also consistent with an attack that has serious confidentiality, integrity, and availability consequences once triggered, but is not directly exploitable across the network without an intermediate delivery and processing step.
In practical terms, administrators should treat untrusted ReFS media and disk images as executable-risk content until the receiving system is patched. Potential delivery paths include physical disks, virtual hard disks, storage passed through to virtual machines, forensic images, backup media, and other workflows capable of presenting a ReFS filesystem to Windows.
Microsoft has not publicly documented a complete exploit sequence or identified the precise ReFS structure that triggers the overflow. There was also no public proof of concept associated with CVE-2026-54109 at disclosure, so claims that a particular file, VHDX operation, or automatic-mount behavior is sufficient would currently go beyond the available evidence.
The Name Overstates the Network Angle
Microsoft’s vulnerability titles use “Remote Code Execution” as an impact category, and that wording can imply a wormable flaw in components such as SMB, RDP, DHCP, or TCP/IP. CVE-2026-54109 should not be read that way based on the information available on July 14.The published description places the attacker locally and calls the attacker authorized. There is no indication that an unauthenticated adversary can simply send packets to a ReFS-enabled server and execute code, nor has Microsoft described the vulnerability as wormable.
The remote element is more plausibly the delivery of malicious storage content from somewhere outside the target machine. An attacker might persuade a user or administrator to attach, import, restore, or otherwise expose Windows to a crafted ReFS volume. That still produces remote code execution as the final security impact, but it carries different defensive implications from an open network port.
This makes patch priority contextual rather than negligible. A locked-down workstation that never handles external disk images has less exposure than a Hyper-V host, backup server, storage lab, malware-analysis environment, or support system that routinely receives disks and virtual drives from outside its trust boundary.
ReFS is also more common in server and storage-heavy deployments than on ordinary consumer PCs. Microsoft designed it for data integrity, large volumes, virtualization scenarios, and resilient storage, meaning the machines most likely to encounter it may also hold valuable data or run infrastructure workloads.
Supported Windows Generations Need the Fix
Microsoft’s affected-product data spans current Windows 11 releases, supported Windows 10 servicing branches, and multiple Windows Server generations. Both full installations and Server Core are affected where listed.The fixed build thresholds published with the CVE include:
- Windows 10 Version 1607 and Windows Server 2016 must reach build 14393.9339 or later.
- Windows 10 Version 1809 and Windows Server 2019 must reach build 17763.9020 or later.
- Windows 10 Version 21H2 must reach build 19044.7548 or later.
- Windows 10 Version 22H2 must reach build 19045.7548 or later.
- Windows 11 Version 24H2 must reach build 26100.8875 or later.
- Windows 11 Version 25H2 must reach build 26200.8875 or later.
- Windows 11 version 26H1 must reach build 28000.2269 or later.
- Windows Server 2022 must reach build 20348.5386 or later.
- Windows Server 2025 must reach build 26100.33158 or later.
The broad product list also means administrators should not assume a machine is unaffected merely because its primary volumes use NTFS. The vulnerable ReFS implementation is part of Windows, and exposure can arise when the system encounters ReFS-formatted storage rather than only when the boot or data drive is formatted with it.
July’s ReFS Cluster Raises the Priority
CVE-2026-54109 did not arrive alone. Zero Day Initiative’s July 2026 review lists seven ReFS remote-code-execution fixes and five ReFS elevation-of-privilege fixes in the same update release, most carrying CVSS scores of 7.8.That concentration suggests Microsoft corrected a wider set of unsafe conditions in ReFS parsing and memory handling, although the individual CVEs should not automatically be assumed to share one root cause. CVE-2026-54109 is specifically associated with integer overflow and heap-buffer-overflow behavior.
The July release itself was unusually large. BleepingComputer counted 570 Microsoft vulnerabilities addressed that month, including 145 remote-code-execution issues and three zero-days across the wider product portfolio. That volume creates a prioritization problem, but the ReFS group deserves attention on storage infrastructure precisely because several related attack surfaces were corrected at once.
Security teams should avoid treating “exploitation less likely” or the absence of known attacks as a reason to defer indefinitely. Filesystem vulnerabilities can become valuable after researchers compare pre- and post-patch binaries, identify the corrected arithmetic, and construct malicious volume metadata.
Until deployment is complete, sensible temporary controls include restricting who can attach virtual disks, limiting removable-storage access, scanning the origin of backup and forensic media, and avoiding the mounting of untrusted ReFS volumes on production systems. Those measures reduce exposure but do not replace the update.
The immediate milestone is therefore concrete: bring affected machines to the July 2026 build levels and verify them. The unresolved question is how quickly enough technical detail will emerge to turn this confirmed ReFS memory-corruption bug into a practical exploit—an interval defenders should use for patching, not observation.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com