CVE-2026-56175: Install July Updates to Fix Windows NTFS Privilege Escalation

Microsoft’s July 14, 2026 security updates fix CVE-2026-56175, a High-severity Windows NTFS elevation-of-privilege flaw that can allow a low-privileged local attacker to gain broader control of an affected PC or server. The immediate action is straightforward: deploy the July cumulative update across supported Windows clients and servers, then verify the resulting OS build rather than relying on update approval alone.
Microsoft’s Security Response Center lists the issue as a Windows NTFS vulnerability, while the National Vulnerability Database identifies the root class as a heap-based buffer overflow, tracked as CWE-122. The vulnerability carries a CVSS 3.1 score of 7.8, with low attack complexity, low privileges required, no user interaction required, and high potential impact to confidentiality, integrity, and availability.
This is not a remote code execution bug and it is not currently known to be exploited in the wild. But that distinction should not invite complacency. Local privilege-escalation flaws are routinely useful after an attacker has obtained a foothold through phishing, an unpatched application, a stolen standard-user credential, malware running without administrative rights, or access to a shared workstation.

Cybersecurity dashboard showing July 2026 Windows patches, deployment progress, and a heap overflow threat.A low-privilege foothold can become a full compromise​

NTFS is Windows’ default file system and sits squarely in the operating system’s trusted storage stack. Microsoft’s description says an authorized attacker can exploit the heap-based buffer overflow locally to elevate privileges. In practical terms, “authorized” means the attacker must already be able to run code or sign in with a legitimate account; it does not mean the account must already be an administrator.
The CVSS vector matters here. The flaw is rated local attack vector, low complexity, low privileges required, and no user interaction. That means an exploit would not depend on persuading a victim to open a specially crafted file at the moment of attack, nor would it require a complicated race or unusual system configuration according to the scoring model.
Microsoft’s assessment currently marks exploitation as less likely for the latest software release, with no public disclosure and no detected exploitation. The NVD’s SSVC enrichment likewise records exploitation as none and automation as no. Those are useful prioritization signals, but not a reason to defer the update through a long monthly change window: public patch analysis and reverse engineering tend to make previously obscure flaws easier to study after Patch Tuesday.
The potential impact is especially important on multi-user systems, virtual desktop infrastructure, terminal servers, developer workstations, and servers where a service account or application pool may have limited local rights. Privilege escalation can turn an otherwise contained intrusion into an incident involving credential theft, security-tool tampering, persistence, lateral movement, or ransomware staging.

July’s patch reaches more than current Windows 11 PCs​

CVE-2026-56175 has an unusually broad affected-product list. According to Microsoft’s advisory data as reflected by NVD, it spans Windows 10, Windows 11, and Windows Server releases going back to Windows Server 2012 and Windows 10 version 1607.
For administrators, the most useful compliance check is the installed build number after deploying the July 2026 security update:
  • Windows 11 version 24H2 should be at build 26100.8875 or later, and Windows 11 version 25H2 should be at build 26200.8875 or later.
  • Windows 11 version 26H1 should be at build 28000.2525 or later.
  • Windows 10 version 21H2 and 22H2 should be at builds 19044.7548 and 19045.7548 or later.
  • Windows Server 2022 should be at build 20348.5386 or later, while Windows Server 2025 should be at build 26100.33158 or later.
  • Windows Server 2019 and Windows 10 version 1809 require build 17763.9020 or later; Windows Server 2016 and Windows 10 version 1607 require build 14393.9339 or later.
  • Windows Server 2012 and Windows Server 2012 R2 require builds 9200.26226 and 9600.23291, respectively.
For mainstream Windows 11 24H2 and 25H2 deployments, the relevant July package is KB5101650. Microsoft’s release notes identify it as the cumulative update that moves supported systems to the protected builds. Windows Server 2022 receives the fix through KB5099540. Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and Windows 10 systems covered by Extended Security Updates receive the July fixes through KB5099539.
That Windows 10 qualifier deserves attention. Microsoft ended free Windows 10 version 22H2 support on October 14, 2025. Organizations that still operate it need to confirm that their devices are entitled to and receiving Extended Security Updates; a Windows 10 machine outside ESU coverage will not simply become compliant because the CVE appears in the July catalog.

Patch verification matters more than an “installed” status​

The July cumulative updates do more than address CVE-2026-56175, and the month’s Windows packages contain notable platform changes and servicing considerations. Microsoft’s Windows 11 notes flag a temporary availability hold for KB5101650 on a limited set of Dell PCs with Intel processors because of reported shutdown, performance, heat, and battery-drain behavior. That may leave some endpoints behind the target build even where Windows Update is otherwise healthy.
Microsoft also documents a BitLocker recovery-key risk on a limited set of Windows Server 2022 systems with a specific, nonrecommended PCR7 Group Policy configuration. The company recommends auditing the policy and checking Secure Boot PCR7 binding status before deployment. This is not a CVE-2026-56175 workaround; it is an operational caveat that should shape server rollout planning.
For managed environments, the safer sequence is to approve the cumulative update, install it in a representative ring, restart where required, and validate both the KB and build number through endpoint management or inventory tooling. A device that has downloaded an update but has not completed its restart remains an incomplete remediation case.
Administrators should also avoid treating NTFS as a narrow desktop-only concern. NTFS is present on standard client installations, Server Core deployments, and full server installations alike. Systems may have different cumulative-update packages, but the exposure condition is fundamentally the same: an NTFS-capable Windows build below Microsoft’s fixed version threshold.

The absence of a workaround keeps the focus on servicing​

Microsoft lists no mitigation or workaround for CVE-2026-56175. Restricting local logon rights, applying least privilege, maintaining endpoint detection, and isolating administrative workflows can reduce the opportunity for a local attacker to reach the vulnerable code path, but none removes the underlying defect.
That makes the patch decision simpler than it is for many Windows security advisories. There is no registry switch to evaluate, no service to disable, and no feature to remove without collateral effects. The durable fix is the July 2026 security update appropriate to the installed Windows release.
CVE-2026-56175 is not the headline zero-day in July’s exceptionally large Microsoft patch release. It is, however, the kind of flaw that becomes consequential when a separate intrusion has already succeeded. The next milestone for defenders is not waiting for public exploit code; it is confirming that every supported Windows endpoint and server has crossed Microsoft’s fixed build threshold.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
 

Back
Top