Microsoft’s July 14, 2026 security updates fix CVE-2026-56182, a Windows NTFS elevation-of-privilege vulnerability that can let a locally authenticated attacker gain higher permissions through an integer-overflow condition in the file system. The flaw is rated Important, with a CVSS 3.1 base score of 7.8, and should be treated as a prompt patching priority on shared Windows endpoints and servers.
Microsoft published the advisory as part of its July Patch Tuesday release. The National Vulnerability Database describes the issue as an integer overflow or wraparound in Windows NTFS that allows an authorized attacker to elevate privileges locally. In practical terms, this is not a network worm scenario: an attacker must already be able to run code or sign in with a valid account on the target machine. But that is exactly why it matters in post-compromise chains, where an initial foothold is used to reach administrator or SYSTEM-level control.
The vulnerability is addressed in cumulative Windows updates released on July 14. Windows 11 24H2 and 25H2 systems receive the fix through KB5101650, bringing them to builds 26100.8875 and 26200.8875 respectively. Windows 11 version 26H1 receives KB5101649, which advances the build to 28000.2525. Microsoft’s advisory also covers supported Windows 10 releases and a broad range of Windows Server editions.
NTFS is not an optional application component; it is Windows’ default file system and sits beneath ordinary work such as opening documents, extracting archives, installing software, processing temporary files, and running services. An arithmetic error in code handling NTFS structures can be dangerous because a value that grows beyond its expected range may be interpreted incorrectly, potentially leading to memory corruption or unsafe processing.
Microsoft has associated CVE-2026-56182 with both integer-overflow and heap-based-buffer-overflow weakness categories. That combination does not disclose a working exploit path, nor does it establish precisely how an attacker would shape data to trigger the condition. It does, however, tell defenders that the root problem is more serious than a simple permissions misconfiguration: it is a low-level input-handling issue in a component trusted by the operating system.
A successful elevation-of-privilege exploit is generally valuable after another vulnerability, phishing event, malicious installer, or abused low-privilege account has already put code on a machine. From there, higher privileges can enable credential theft, security-tool tampering, persistence, or access to data normally blocked by Windows access controls.
That makes the remediation message straightforward: patch the operating system rather than look for an NTFS configuration switch. Microsoft has not published a mitigation or workaround for systems left unpatched.
Those fields matter, but they should be read carefully. “None” means there is no known exploitation reported to the assessment process; it does not mean the flaw cannot be exploited. “No” for automation suggests this is not presently assessed as a vulnerability that can be broadly and reliably mass-exploited without attacker interaction or environment-specific preparation. The “total” technical-impact value reflects the potential outcome once exploitation succeeds: compromise of confidentiality, integrity, and availability at the affected security boundary.
The score itself reinforces that distinction. CVSS 7.8 is High because the attack complexity is low, no user interaction is required, and the eventual effect can be severe. The vector also requires local access and low privileges, which limits the initial attack surface compared with a remotely exploitable service flaw.
For a managed enterprise, that points to a familiar priority order. Internet-facing remote-code-execution bugs and vulnerabilities already under active attack may take the first emergency window. CVE-2026-56182 should move immediately behind them, especially on systems used by developers, administrators, help desks, contractors, and other users who routinely execute varied software or handle files from outside the organization.
On the server side, the advisory covers Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including several Server Core installations. That broad list deserves attention because NTFS flaws can affect high-value infrastructure even when servers have no interactive desktop use.
Among the identifiable July packages are:
That does not make every NTFS CVE interchangeable. Each has its own prerequisites, severity, and exploitability profile. But it does mean that patching solely around CVE-2026-56182 understates the operational benefit of deploying July’s cumulative update: the same maintenance event reduces exposure to a much larger set of Windows issues.
Security teams should avoid confusing CVE-2026-56182 with the higher-urgency vulnerabilities elsewhere in the July release, including flaws Microsoft and outside reporting identify as publicly known or actively exploited. This NTFS issue is not presently in that category. Its risk is instead the second-stage compromise role that local privilege escalation vulnerabilities often play.
The immediate objective is therefore simple: ensure July’s cumulative update is installed, reboot where required, and investigate systems that cannot be patched on schedule. On those exceptions, reduce local code-execution opportunities, limit unnecessary user privileges, and closely watch for suspicious process launches, unusual installer activity, or unexpected access to protected system locations. The fix is available now; the remaining question is how long unpatched NTFS systems stay exposed.
Microsoft published the advisory as part of its July Patch Tuesday release. The National Vulnerability Database describes the issue as an integer overflow or wraparound in Windows NTFS that allows an authorized attacker to elevate privileges locally. In practical terms, this is not a network worm scenario: an attacker must already be able to run code or sign in with a valid account on the target machine. But that is exactly why it matters in post-compromise chains, where an initial foothold is used to reach administrator or SYSTEM-level control.
The vulnerability is addressed in cumulative Windows updates released on July 14. Windows 11 24H2 and 25H2 systems receive the fix through KB5101650, bringing them to builds 26100.8875 and 26200.8875 respectively. Windows 11 version 26H1 receives KB5101649, which advances the build to 28000.2525. Microsoft’s advisory also covers supported Windows 10 releases and a broad range of Windows Server editions.
A local flaw with system-wide consequences
NTFS is not an optional application component; it is Windows’ default file system and sits beneath ordinary work such as opening documents, extracting archives, installing software, processing temporary files, and running services. An arithmetic error in code handling NTFS structures can be dangerous because a value that grows beyond its expected range may be interpreted incorrectly, potentially leading to memory corruption or unsafe processing.Microsoft has associated CVE-2026-56182 with both integer-overflow and heap-based-buffer-overflow weakness categories. That combination does not disclose a working exploit path, nor does it establish precisely how an attacker would shape data to trigger the condition. It does, however, tell defenders that the root problem is more serious than a simple permissions misconfiguration: it is a low-level input-handling issue in a component trusted by the operating system.
A successful elevation-of-privilege exploit is generally valuable after another vulnerability, phishing event, malicious installer, or abused low-privilege account has already put code on a machine. From there, higher privileges can enable credential theft, security-tool tampering, persistence, or access to data normally blocked by Windows access controls.
That makes the remediation message straightforward: patch the operating system rather than look for an NTFS configuration switch. Microsoft has not published a mitigation or workaround for systems left unpatched.
No active exploitation reported, but that is not a reason to defer
As of July 15, Microsoft’s public advisory does not indicate that CVE-2026-56182 is being exploited in the wild or publicly disclosed before the fix. The NVD record likewise shows CISA’s SSVC assessment as exploitation “none,” with automation marked “no” and technical impact marked “total.”Those fields matter, but they should be read carefully. “None” means there is no known exploitation reported to the assessment process; it does not mean the flaw cannot be exploited. “No” for automation suggests this is not presently assessed as a vulnerability that can be broadly and reliably mass-exploited without attacker interaction or environment-specific preparation. The “total” technical-impact value reflects the potential outcome once exploitation succeeds: compromise of confidentiality, integrity, and availability at the affected security boundary.
The score itself reinforces that distinction. CVSS 7.8 is High because the attack complexity is low, no user interaction is required, and the eventual effect can be severe. The vector also requires local access and low privileges, which limits the initial attack surface compared with a remotely exploitable service flaw.
For a managed enterprise, that points to a familiar priority order. Internet-facing remote-code-execution bugs and vulnerabilities already under active attack may take the first emergency window. CVE-2026-56182 should move immediately behind them, especially on systems used by developers, administrators, help desks, contractors, and other users who routinely execute varied software or handle files from outside the organization.
The affected footprint reaches beyond current desktop Windows
Microsoft’s affected-product information spans more than the newest Windows 11 branch. It includes Windows 10 version 1607, Windows 10 version 1809, Windows 10 21H2 and 22H2, Windows 11 24H2, Windows 11 25H2, and Windows 11 version 26H1. Both ARM64 and x64 editions are covered where applicable, while older Windows 10 releases also include 32-bit variants.On the server side, the advisory covers Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including several Server Core installations. That broad list deserves attention because NTFS flaws can affect high-value infrastructure even when servers have no interactive desktop use.
Among the identifiable July packages are:
- Windows 11 24H2 and 25H2 are fixed by KB5101650.
- Windows 11 26H1 is fixed by KB5101649.
- Windows Server 2025 is fixed by KB5099536.
- Windows Server 2022 and Azure Stack HCI 22H2 are fixed by KB5099540.
- Windows 10 version 1607 and Windows Server 2016 are fixed by KB5099535.
July’s NTFS cluster raises the patching value of a single reboot
CVE-2026-56182 is one of several NTFS vulnerabilities addressed in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer reported that the release fixed 570 Microsoft vulnerabilities in total, including 254 elevation-of-privilege flaws and numerous NTFS entries spanning both local privilege escalation and remote code execution categories.That does not make every NTFS CVE interchangeable. Each has its own prerequisites, severity, and exploitability profile. But it does mean that patching solely around CVE-2026-56182 understates the operational benefit of deploying July’s cumulative update: the same maintenance event reduces exposure to a much larger set of Windows issues.
Security teams should avoid confusing CVE-2026-56182 with the higher-urgency vulnerabilities elsewhere in the July release, including flaws Microsoft and outside reporting identify as publicly known or actively exploited. This NTFS issue is not presently in that category. Its risk is instead the second-stage compromise role that local privilege escalation vulnerabilities often play.
The immediate objective is therefore simple: ensure July’s cumulative update is installed, reboot where required, and investigate systems that cannot be patched on schedule. On those exceptions, reduce local code-execution opportunities, limit unnecessary user privileges, and closely watch for suspicious process launches, unusual installer activity, or unexpected access to protected system locations. The fix is available now; the remaining question is how long unpatched NTFS systems stay exposed.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com