Microsoft’s July 14 security updates fix CVE-2026-57091, a Windows File History Service elevation-of-privilege flaw that could let a locally authenticated attacker gain SYSTEM-level control of an affected PC or server. The issue is a stack-based buffer overflow in the File History Service, and it carries a CVSS 3.1 score of 7.8, rated High.
Microsoft published the advisory as part of its July 2026 security release. The National Vulnerability Database’s record, sourced from Microsoft, confirms that exploitation requires local access and an authorized account; there is no user interaction requirement. In practical terms, this is not a drive-by browser bug or a remotely reachable wormable service issue. It is the kind of vulnerability that turns an initial foothold—malware running as a standard user, a compromised remote-access account, or a malicious insider’s account—into a full-machine compromise.
For organizations, that makes CVE-2026-57091 a patching priority even though it is not currently reported as publicly exploited. Local privilege escalation remains one of the most useful steps in real intrusion chains because it can remove the boundary between a limited user context and the operating system’s most powerful account.
File History is Windows’ built-in personal-file backup feature, designed to preserve versions of files in libraries, Desktop, Contacts, and Favorites to an external or network location. The underlying service has existed across several Windows generations, including systems where the feature may not be actively used by an end user.
Microsoft’s description is unusually direct: the weakness is a stack-based buffer overflow, categorized as CWE-121. Such flaws arise when software writes more data to a fixed memory region than it can safely hold. The advisory does not disclose the affected function, trigger data, or a proof of concept, and administrators should treat any claims of a ready-made exploit with caution unless Microsoft or an established security research team corroborates them.
The impact rating matters more than the service’s familiar name. Microsoft’s CVSS vector assigns low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. A successful exploit would therefore give an attacker broad latitude to read protected data, tamper with system settings and security controls, install persistence, or disrupt the device.
That combination makes this a classic post-compromise amplifier. Endpoint protection, phishing resistance, credential controls, application allowlisting, and least-privilege design still matter because an attacker needs a way onto the endpoint first. But once that foothold exists, a local privilege-escalation flaw can drastically shorten the path to domain-level credentials or lateral movement.
The July 14 cumulative updates are the remediation path. Administrators should deploy the applicable monthly update for each servicing branch rather than hunting for a standalone File History Service fix. Key packages include:
The fact that older branches remain in the affected list is an operational warning. Vulnerability scanners and patch dashboards need to account for legacy estates, Server Core deployments, and systems held on older Windows releases for line-of-business compatibility. File History may be a low-visibility component, but the service-level bug is still present where the affected build range says it is.
Microsoft’s published exploitability information also indicates no known public disclosure and no observed exploitation at release time. That reduces the pressure compared with a confirmed zero-day, but it does not eliminate the underlying risk. Patch Tuesday disclosures routinely give researchers and attackers enough information to compare pre-patch and post-patch binaries, identify the vulnerable code path, and develop reliable techniques after the fix is public.
For Windows administrators, the right response is to place this vulnerability in the normal expedited monthly-update lane. It is especially relevant for shared workstations, virtual desktop infrastructure, jump hosts, developer endpoints, RDS servers, and devices where users have local interactive access. Those environments give a potential attacker the local execution prerequisite more often than a tightly controlled server workload does.
There is no Microsoft-published workaround for CVE-2026-57091 beyond installing the security update. Disabling File History or altering service configuration may reduce feature exposure in some environments, but it is not a substitute for the patched binaries and can create avoidable backup or support problems. Treat such changes as temporary compensating controls only where emergency patching is impossible and after testing their effect on user data protection.
For managed fleets, prioritize a deployment ring that includes representative Windows 10, Windows 11, and Windows Server systems, then move rapidly to broad deployment if no environment-specific regression appears. Microsoft currently reports no known issues for the Windows 11 26H1 and Windows Server 2025 cumulative updates, though organizations with third-party networking components should separately review Microsoft’s July notice on TDI transport registration hardening.
Security teams should also use this event to check whether standard-user accounts can install arbitrary software, run unsigned code from user-writable directories, or retain local administrator rights. Those conditions do not cause CVE-2026-57091, but they make local privilege-escalation vulnerabilities far more valuable to an attacker.
The immediate action is straightforward: deploy the July 14 cumulative update appropriate to every affected Windows branch. The unresolved part is familiar: until patch-diffing research or a public proof of concept emerges, defenders will not know how quickly this File History flaw can move from an advisory entry to a commonly used escalation technique.
Microsoft published the advisory as part of its July 2026 security release. The National Vulnerability Database’s record, sourced from Microsoft, confirms that exploitation requires local access and an authorized account; there is no user interaction requirement. In practical terms, this is not a drive-by browser bug or a remotely reachable wormable service issue. It is the kind of vulnerability that turns an initial foothold—malware running as a standard user, a compromised remote-access account, or a malicious insider’s account—into a full-machine compromise.
For organizations, that makes CVE-2026-57091 a patching priority even though it is not currently reported as publicly exploited. Local privilege escalation remains one of the most useful steps in real intrusion chains because it can remove the boundary between a limited user context and the operating system’s most powerful account.
A File History Bug With System-Level Consequences
File History is Windows’ built-in personal-file backup feature, designed to preserve versions of files in libraries, Desktop, Contacts, and Favorites to an external or network location. The underlying service has existed across several Windows generations, including systems where the feature may not be actively used by an end user.Microsoft’s description is unusually direct: the weakness is a stack-based buffer overflow, categorized as CWE-121. Such flaws arise when software writes more data to a fixed memory region than it can safely hold. The advisory does not disclose the affected function, trigger data, or a proof of concept, and administrators should treat any claims of a ready-made exploit with caution unless Microsoft or an established security research team corroborates them.
The impact rating matters more than the service’s familiar name. Microsoft’s CVSS vector assigns low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. A successful exploit would therefore give an attacker broad latitude to read protected data, tamper with system settings and security controls, install persistence, or disrupt the device.
That combination makes this a classic post-compromise amplifier. Endpoint protection, phishing resistance, credential controls, application allowlisting, and least-privilege design still matter because an attacker needs a way onto the endpoint first. But once that foothold exists, a local privilege-escalation flaw can drastically shorten the path to domain-level credentials or lateral movement.
The Patch Set Reaches Old Windows Builds and Current Releases
CVE-2026-57091 affects a broad range of supported Windows client and server releases. Microsoft’s affected-product data includes Windows 10 version 1607 and version 1809, Windows 10 version 21H2 and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, plus Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.The July 14 cumulative updates are the remediation path. Administrators should deploy the applicable monthly update for each servicing branch rather than hunting for a standalone File History Service fix. Key packages include:
- Windows Server 2016 receives KB5099535.
- Windows 10 version 1809 and Windows Server 2019 receive KB5099538.
- Windows 10 version 21H2 and 22H2 receive KB5099539.
- Windows Server 2022 receives KB5099540.
- Windows 11 version 23H2 receives KB5099414.
- Windows 11 versions 24H2 and 25H2 receive KB5101650.
- Windows 11 version 26H1 receives KB5101649, taking the build to 28000.2525.
- Windows Server 2025 receives KB5099536, taking the build to 26100.33158.
The fact that older branches remain in the affected list is an operational warning. Vulnerability scanners and patch dashboards need to account for legacy estates, Server Core deployments, and systems held on older Windows releases for line-of-business compatibility. File History may be a low-visibility component, but the service-level bug is still present where the affected build range says it is.
No Evidence of Exploitation Is Not a Reason to Wait
CISA’s SSVC enrichment for the CVE currently marks exploitation as “none” and automation as “no,” while retaining “total” technical impact. That should be read as a snapshot of public evidence, not a guarantee that an exploit will not appear.Microsoft’s published exploitability information also indicates no known public disclosure and no observed exploitation at release time. That reduces the pressure compared with a confirmed zero-day, but it does not eliminate the underlying risk. Patch Tuesday disclosures routinely give researchers and attackers enough information to compare pre-patch and post-patch binaries, identify the vulnerable code path, and develop reliable techniques after the fix is public.
For Windows administrators, the right response is to place this vulnerability in the normal expedited monthly-update lane. It is especially relevant for shared workstations, virtual desktop infrastructure, jump hosts, developer endpoints, RDS servers, and devices where users have local interactive access. Those environments give a potential attacker the local execution prerequisite more often than a tightly controlled server workload does.
There is no Microsoft-published workaround for CVE-2026-57091 beyond installing the security update. Disabling File History or altering service configuration may reduce feature exposure in some environments, but it is not a substitute for the patched binaries and can create avoidable backup or support problems. Treat such changes as temporary compensating controls only where emergency patching is impossible and after testing their effect on user data protection.
Verify the Build, Then Verify the Deployment Story
IT teams should first confirm the device’s Windows release and installed cumulative update, then verify that the update completed successfully after any required restart. A successful download in an endpoint-management console is not the same as a completed installation; restart deferrals, servicing-stack problems, and insufficient disk space can leave an endpoint reporting a misleading compliance state.For managed fleets, prioritize a deployment ring that includes representative Windows 10, Windows 11, and Windows Server systems, then move rapidly to broad deployment if no environment-specific regression appears. Microsoft currently reports no known issues for the Windows 11 26H1 and Windows Server 2025 cumulative updates, though organizations with third-party networking components should separately review Microsoft’s July notice on TDI transport registration hardening.
Security teams should also use this event to check whether standard-user accounts can install arbitrary software, run unsigned code from user-writable directories, or retain local administrator rights. Those conditions do not cause CVE-2026-57091, but they make local privilege-escalation vulnerabilities far more valuable to an attacker.
The immediate action is straightforward: deploy the July 14 cumulative update appropriate to every affected Windows branch. The unresolved part is familiar: until patch-diffing research or a public proof of concept emerges, defenders will not know how quickly this File History flaw can move from an advisory entry to a commonly used escalation technique.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com