CVE-2026-58613: Install July Updates to Fix Windows Privilege Escalation

Microsoft’s July 14, 2026 security updates fix CVE-2026-58613, a high-severity elevation-of-privilege flaw in the Windows Cloud Files Mini Filter Driver, cldflt.sys. The vulnerability can let an attacker who already has local, authorized access run a crafted application and potentially gain far higher privileges on the machine—turning an initial foothold into a system-level compromise.
Microsoft published the advisory alongside July’s Patch Tuesday release, while Cisco Talos disclosed that it had reported the issue to Microsoft on June 1. Talos credited researcher Marcin “Icewall” Noga and released technical analysis on July 15 after Microsoft’s patch became available. The immediate advice for Windows administrators is uncomplicated: deploy the July cumulative update appropriate to each supported Windows release, and confirm the resulting OS build rather than treating this as a OneDrive-only issue.
The affected component is part of Windows itself. Although Cloud Files is best known as the plumbing behind OneDrive Files On-Demand, the driver provides the kernel-level integration used by cloud-sync providers to expose remote content as local placeholder files.

Cybersecurity infographic showing a July 2026 Windows kernel update blocking an exploit chain and protecting system files.A Kernel Bug Behind Cloud File Placeholders​

Microsoft classifies CVE-2026-58613 as an Important Windows Cloud Files Mini Filter Driver elevation-of-privilege vulnerability. The vendor’s CVSS 3.1 score is 7.8, with a local attack vector, low attack complexity, low privileges required, no user interaction, and high potential impact on confidentiality, integrity, and availability.
The underlying defect is a use-after-free issue, cataloged as CWE-416. In practical terms, the driver can retain a reference to memory associated with a cloud-file request after that memory has been released. If an attacker can steer subsequent kernel activity through that stale reference, the result can range from a system crash to privilege escalation.
Cisco Talos puts more technical detail behind that summary. Its report identifies the affected path as CldiStreamCompleteRequest in cldflt.sys, tested on driver version 10.0.26100.8457. Talos describes a sequence involving the Cloud Filter API, a cloud sync root, a pending provider-progress request, cleanup of files in the sync directory, and a later timeout-handling path. When the driver cleans up the request, it can free the stream context before later code tries to use it.
That is significant because cldflt.sys runs in kernel mode. An unprivileged local process cannot normally execute code there. A reliable elevation-of-privilege exploit could cross that boundary and create the kind of high-integrity access attackers commonly use to disable defenses, harvest credentials, establish persistence, or move laterally after initial access.
Talos rates the research case at 8.8, rather than Microsoft’s 7.8, because its vector treats the outcome as a scope change. The scores should not be read as disagreement over whether the bug exists: both organizations agree on the local privilege-escalation impact and the low-complexity, no-user-interaction nature of the path. The difference is a reminder that CVSS is a prioritization aid, not a complete account of operational risk.

The Patch Covers More Than Windows 11​

Microsoft’s affected-product data covers Windows 10, Windows 11, and supported Windows Server releases. The July 14 updates move affected systems to the following builds or later:
Product familyJuly 2026 security updatePatched build
Windows 10 version 21H2 / 22H2KB509953919044.7548 / 19045.7548
Windows 10 Enterprise LTSC 2019 / Windows Server 2019KB509953817763.9020
Windows Server 2022KB509954020348.5386
Windows 11 version 24H2 / 25H2KB510165026100.8875 / 26200.8875
Windows 11 version 26H1KB510164928000.2525
Windows Server 2025KB509953626100.33158
Windows 10 deserves special attention in inventory reports. Microsoft’s vulnerability record includes version 21H2 and version 22H2, but ordinary Windows 10 22H2 servicing ended on October 14, 2025. Organizations relying on Windows 10 must ensure that affected devices are legitimately receiving July security content through Extended Security Updates or an applicable LTSC servicing channel; a machine listed as “up to date” but outside its support entitlement is not protected by the July patch.
Windows 11 24H2 and 25H2 deployments should receive KB5101650 through the ordinary cumulative-update channels. Microsoft’s release notes say the package installs automatically through Windows Update and Windows Update for Business subject to policy, and is also available through Windows Server Update Services and the Microsoft Update Catalog. For managed fleets, the relevant operational check is deployment compliance after restart, not merely whether the update has been approved.
The Cloud Files driver’s reach also means administrators should not assume that removing OneDrive from an image eliminates exposure. cldflt.sys is a Windows file-system filter driver, and Microsoft lists client and server operating systems as affected. The component’s role in the Cloud Files platform is broader than one sync client.

Public Research Raises Confidence, Not Evidence of Active Abuse​

The wording around confidence in a vulnerability report matters here. Microsoft has acknowledged the flaw, assigned a CVE, and shipped fixes. Cisco Talos has published a detailed root-cause analysis and confirmed a vulnerable Windows 11 driver version. Those are strong signals that the flaw is real and technically understood, rather than an uncorroborated claim.
At the same time, there is no current indication that CVE-2026-58613 is being exploited in the wild. The National Vulnerability Database, which is still awaiting full enrichment for this record, reflects Microsoft’s description and score. Its CISA-added SSVC data lists exploitation as “none,” marks the issue as not automatable, and assesses potential technical impact as total. That combination fits a vulnerability that is serious after local access but is not, based on current public evidence, a wormable or remotely reachable initial-entry bug.
The “local” qualifier should not become a reason to defer the patch indefinitely. Local privilege escalation is frequently the second stage of a broader intrusion. Malware delivered through phishing, a compromised standard user account, a malicious insider, or an abused remote-access session does not need a network-exploitable kernel bug if it can elevate after landing on the endpoint.
Talos’s public disclosure also shortens the window in which defenders can count on obscurity. Its report does not merely state that the flaw exists; it identifies the vulnerable function, the driver behavior involved, and the cloud-file request lifecycle that produces the invalid memory access. That technical specificity is useful for defenders and researchers, but it also gives capable attackers a substantial starting point.

Deployment Should Include a Build-Level Check​

For most organizations, CVE-2026-58613 belongs in the normal expedited Patch Tuesday lane rather than an emergency out-of-band response. Apply the July 14 cumulative update, reboot as required, and verify build numbers on representative client, VDI, and server populations.
Administrators should also test the update where Cloud Files integrations are business-critical. That includes OneDrive Files On-Demand, enterprise sync tools, virtual desktop images with redirected user profiles, and any application built around the Windows Cloud Filter API. The vulnerability resides in the OS driver, but the operational sensitivity lies in the workloads that depend on cloud-backed placeholder files and on-demand hydration.
Microsoft has not published a separate workaround for the flaw. Disabling or removing cloud-sync tooling may reduce some exposure paths, but it is not a substitute for the patched driver and could disrupt file availability, sync workflows, and user data access. The supported remedy is the cumulative update.
The concrete milestone is therefore clear: systems at Windows 11 build 26100.8875 or 26200.8875, Windows Server 2025 build 26100.33158, and the corresponding July builds for older supported releases have the vendor fix. Any lower build on Microsoft’s affected list should be treated as an outstanding local-escalation exposure until patch compliance catches up.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
  3. Related coverage: hhs.gov
 

Back
Top