Microsoft’s July 14, 2026 security updates fix CVE-2026-57084, a Windows File Explorer information-disclosure flaw that could allow an attacker to obtain sensitive information from a local Windows system after persuading a user to interact with malicious content. The vulnerability is rated Important by Microsoft and carries a CVSS 3.1 base score of 5.5, with no public exploitation reported as of July 15.
Microsoft describes the bug as a use of an uninitialized resource in Windows File Explorer. In practical terms, File Explorer could expose data left in a resource that software should have initialized before use. The advisory does not say exactly what information could be recovered, how much could be exposed, or identify the affected code path—details that rightly keep this one in the “patch promptly, avoid speculation” category.
The flaw is part of the July 2026 Patch Tuesday release. Microsoft’s advisory is the authoritative source, while the National Vulnerability Database has published the Microsoft-supplied description and scoring data. Zero Day Initiative’s July update review also lists CVE-2026-57084 among the File Explorer disclosure issues addressed this month.
The CVSS vector tells the most important operational story: this is a local attack with low complexity, no privileges required, and user interaction required. It is not a network worm, it is not a remote-code-execution issue, and an unauthenticated attacker cannot simply scan the internet for exposed File Explorer instances.
That distinction should shape prioritization. An attacker would need to get a target to open, preview, browse, or otherwise interact with crafted content in a way that reaches the vulnerable File Explorer handling path. The official advisory does not identify the precise delivery mechanism, so administrators should not assume a particular file type, archive format, network share scenario, or preview-pane behavior is confirmed.
Still, user interaction does not make the flaw irrelevant. File Explorer sits at the center of everyday Windows activity: opening downloads, unpacking project files, browsing shared folders, reviewing removable media, and examining files received through email or collaboration services. A disclosure-only bug can also supply information useful to a later attack stage, particularly on workstations where browser, document, or endpoint-security exploits face modern mitigation layers.
Microsoft’s CVSS assessment assigns high confidentiality impact but no integrity or availability impact. Put plainly, the published assessment says the flaw can disclose information, but does not by itself alter files, install software, elevate permissions, or crash the device.
For a normal Windows 11 consumer PC, the answer is simply to check Windows Update, install the July 2026 cumulative update, and restart when prompted. Organizations using Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch, or third-party patch platforms should approve and deploy the normal operating-system update rather than seek a standalone File Explorer package; Microsoft has shipped the fix through the cumulative servicing model.
Administrators should verify actual installed build numbers rather than rely on a device’s product name. This matters most for Windows 11, where 24H2 and 25H2 may look similar in inventory dashboards but require distinct build targets, and in long-lived Windows 10 or Server estates where servicing status, edition, and Extended Security Updates eligibility determine what the device can receive.
Microsoft’s documentation for KB5101649 says Windows 11 version 26H1 reaches build 28000.2525 with the July release. The parallel July packages for Windows 11 24H2 and 25H2 reach 26100.8875 and 26200.8875, respectively. On the server side, Microsoft lists build 20348.5386 for Windows Server 2022 and 26100.33158 for Windows Server 2025.
That creates a narrow but important operational point: the presence of a fix in Microsoft’s catalog does not mean every old server receives it automatically. A Server 2012 or 2012 R2 deployment needs correctly configured ESU licensing and a functional update servicing path. Microsoft also notes that recent servicing stack updates are important prerequisites for receiving current updates on those platforms.
Windows 10 22H2 is another case where patch compliance should be read carefully. Microsoft ended free Windows 10 support on October 14, 2025, so organizations that retain Windows 10 systems need to know whether their particular edition and licensing arrangement remain in a supported update channel. Windows 10 Enterprise LTSC and other specialized branches have different lifecycle rules from mainstream consumer Windows 10 installations.
For IT teams, the first report should therefore separate “machines that installed July updates” from “machines that are unable to obtain July updates.” The second category is the one that needs immediate ownership, whether its cause is unsupported hardware, missed ESU enrollment, a broken servicing stack, paused update policies, or a disconnected management client.
But the low automation finding should not become a reason to defer a standard monthly update cycle. The attack has a low complexity rating, requires no attacker privileges, and affects a component used by nearly every Windows user. Where untrusted files routinely arrive through email, web downloads, shared storage, USB media, or customer-support workflows, the interaction requirement is less reassuring than it may first appear.
Until Microsoft or security researchers publish more technical detail, organizations should avoid improvised workarounds such as disabling File Explorer preview features across the estate. There is no official mitigation for CVE-2026-57084 beyond installing the security update, and broad Explorer restrictions can create needless usability and support costs without proof that they block the relevant attack path.
The near-term milestone is uncomplicated: devices should report the July 14, 2026 cumulative update—or a later superseding update—and the corresponding patched OS build. For CVE-2026-57084, that is the line between a theoretical local disclosure route in File Explorer and a closed one.
Microsoft describes the bug as a use of an uninitialized resource in Windows File Explorer. In practical terms, File Explorer could expose data left in a resource that software should have initialized before use. The advisory does not say exactly what information could be recovered, how much could be exposed, or identify the affected code path—details that rightly keep this one in the “patch promptly, avoid speculation” category.
The flaw is part of the July 2026 Patch Tuesday release. Microsoft’s advisory is the authoritative source, while the National Vulnerability Database has published the Microsoft-supplied description and scoring data. Zero Day Initiative’s July update review also lists CVE-2026-57084 among the File Explorer disclosure issues addressed this month.
A malicious file still needs a user at the keyboard
The CVSS vector tells the most important operational story: this is a local attack with low complexity, no privileges required, and user interaction required. It is not a network worm, it is not a remote-code-execution issue, and an unauthenticated attacker cannot simply scan the internet for exposed File Explorer instances.That distinction should shape prioritization. An attacker would need to get a target to open, preview, browse, or otherwise interact with crafted content in a way that reaches the vulnerable File Explorer handling path. The official advisory does not identify the precise delivery mechanism, so administrators should not assume a particular file type, archive format, network share scenario, or preview-pane behavior is confirmed.
Still, user interaction does not make the flaw irrelevant. File Explorer sits at the center of everyday Windows activity: opening downloads, unpacking project files, browsing shared folders, reviewing removable media, and examining files received through email or collaboration services. A disclosure-only bug can also supply information useful to a later attack stage, particularly on workstations where browser, document, or endpoint-security exploits face modern mitigation layers.
Microsoft’s CVSS assessment assigns high confidentiality impact but no integrity or availability impact. Put plainly, the published assessment says the flaw can disclose information, but does not by itself alter files, install software, elevate permissions, or crash the device.
July’s cumulative updates are the fix
The practical remediation is to deploy the applicable July 14 cumulative update or security rollup for each supported Windows release. Microsoft’s affected-product data identifies a broad range spanning legacy servicing branches through current Windows 11 and Windows Server releases.| Product family | Patched July 14 build or update |
|---|---|
| Windows 10 21H2 and 22H2 | KB5099539, OS Builds 19044.7548 and 19045.7548 |
| Windows 10 1607 and Windows Server 2016 | KB5099535, OS Build 14393.9339 |
| Windows 10 1809 and Windows Server 2019 | KB5099538, OS Build 17763.9020 |
| Windows 11 24H2 and 25H2 | KB5101650, OS Builds 26100.8875 and 26200.8875 |
| Windows 11 26H1 | KB5101649, OS Build 28000.2525 |
| Windows Server 2022 | KB5099540, OS Build 20348.5386 |
| Windows Server 2025 | KB5099536, OS Build 26100.33158 |
| Windows Server 2012 and 2012 R2 under ESU | July 2026 security rollup or security-only update, where eligible |
Administrators should verify actual installed build numbers rather than rely on a device’s product name. This matters most for Windows 11, where 24H2 and 25H2 may look similar in inventory dashboards but require distinct build targets, and in long-lived Windows 10 or Server estates where servicing status, edition, and Extended Security Updates eligibility determine what the device can receive.
Microsoft’s documentation for KB5101649 says Windows 11 version 26H1 reaches build 28000.2525 with the July release. The parallel July packages for Windows 11 24H2 and 25H2 reach 26100.8875 and 26200.8875, respectively. On the server side, Microsoft lists build 20348.5386 for Windows Server 2022 and 26100.33158 for Windows Server 2025.
Legacy systems turn a routine patch into an inventory test
CVE-2026-57084’s affected list includes Windows Server 2012 and Windows Server 2012 R2, including Server Core installations. Those systems have been out of regular support since October 10, 2023, but remain eligible for paid Extended Security Updates through October 13, 2026.That creates a narrow but important operational point: the presence of a fix in Microsoft’s catalog does not mean every old server receives it automatically. A Server 2012 or 2012 R2 deployment needs correctly configured ESU licensing and a functional update servicing path. Microsoft also notes that recent servicing stack updates are important prerequisites for receiving current updates on those platforms.
Windows 10 22H2 is another case where patch compliance should be read carefully. Microsoft ended free Windows 10 support on October 14, 2025, so organizations that retain Windows 10 systems need to know whether their particular edition and licensing arrangement remain in a supported update channel. Windows 10 Enterprise LTSC and other specialized branches have different lifecycle rules from mainstream consumer Windows 10 installations.
For IT teams, the first report should therefore separate “machines that installed July updates” from “machines that are unable to obtain July updates.” The second category is the one that needs immediate ownership, whether its cause is unsupported hardware, missed ESU enrollment, a broken servicing stack, paused update policies, or a disconnected management client.
No evidence of exploitation changes the order, not the obligation
CISA’s Stakeholder-Specific Vulnerability Categorization data, published alongside the NVD record, currently marks exploitation as none, automation as no, and technical impact as partial. That supports a measured response: this is not the issue that should displace actively exploited privilege-escalation or remote-code-execution vulnerabilities in an emergency maintenance window.But the low automation finding should not become a reason to defer a standard monthly update cycle. The attack has a low complexity rating, requires no attacker privileges, and affects a component used by nearly every Windows user. Where untrusted files routinely arrive through email, web downloads, shared storage, USB media, or customer-support workflows, the interaction requirement is less reassuring than it may first appear.
Until Microsoft or security researchers publish more technical detail, organizations should avoid improvised workarounds such as disabling File Explorer preview features across the estate. There is no official mitigation for CVE-2026-57084 beyond installing the security update, and broad Explorer restrictions can create needless usability and support costs without proof that they block the relevant attack path.
The near-term milestone is uncomplicated: devices should report the July 14, 2026 cumulative update—or a later superseding update—and the corresponding patched OS build. For CVE-2026-57084, that is the line between a theoretical local disclosure route in File Explorer and a closed one.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
KB5099415: Cumulative security update for Internet Explorer: July 14, 2026 | Microsoft Support
KB5099415: Cumulative security update for Internet Explorer: July 14, 2026support.microsoft.com