{
"title": "A Heap Overflow in Windows ReFS Could Give Hackers Full Control—Here’s the Fix",
"content": "On July 14, 2026, Microsoft patched a serious vulnerability in the Windows Resilient File System (ReFS) that could allow an attacker to take complete control of a PC or server simply by tricking a user into opening a malicious disk image or file. The flaw, tracked as CVE-2026-50362, is a heap-based buffer overflow that carries a CVSS score of 7.8 and affects nearly every supported version of Windows, from Windows 10 1607 to Windows 11 26H1 and Windows Server 2016 through 2025.

The update is part of the July 2026 Patch Tuesday release. While Microsoft has not observed any active attacks exploiting this bug, the ease with which it could be abused—no prior access privileges are required—makes it a priority for both home users and IT administrators.

What exactly was patched?

CVE-2026-50362 is classified as CWE-122, a heap-based buffer overflow. In a heap overflow, a program writes more data into a chunk of memory allocated on the heap than that chunk can safely hold. The extra data spills over into adjacent memory, which could overwrite pointers, function pointers, or other critical control structures. An attacker who can control what gets written and where can hijack the program’s execution and run arbitrary code.

In this case, the vulnerable component is part of Windows’ handling of the ReFS file system. When the operating system processes a ReFS volume—such as when it mounts a disk or reads a file—a parsing routine oversteps its buffer boundaries. If the ReFS metadata has been maliciously crafted, the overflow can give an attacker the ability to execute code with the same privileges as the current user.

Microsoft rates the attack complexity as low and states that no privileges are required to craft the payload. However, the attack vector is local, not network-based. The official CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That breaks down as:

  • Attack Vector: Local – the attacker must present the malicious content to the system locally (e.g., via a file or removable media).
  • Attack Complexity: Low – no special conditions must exist for the exploit to succeed.
  • Privileges Required: None – the attacker does not need a user account on the target.
  • User Interaction: Required – a victim must open or mount the crafted file system.
  • Scope: Unchanged – the exploit runs within the same security context.
  • Impact: High for Confidentiality, Integrity, and Availability – complete compromise.
Microsoft hasn’t disclosed the exact operation that triggers the overflow. It could be a malformed directory entry, a corrupted metadata table, or a specially sized attribute. Without that detail, it’s safest to assume that any interaction with an untrusted ReFS image—including automatic thumbnail generation or file indexing—could trigger the bug.

Who should be concerned?

The list of affected products is extensive. Every currently supported Windows client and server SKU includes the ReFS driver, and all are vulnerable below their respective fixed builds:

  • Windows 11 24H2 (Home, Pro, Enterprise, etc.)
  • Windows 11 25H2
  • Windows 11 26H1
  • Windows 10 22H2
  • Windows 10 21H2
  • Windows 10 1809 (including LTSC 2019)
  • Windows 10 1607 (including LTSC 2016)
  • Windows Server 2025 (all editions, including Server Core)
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
Even if you never purposely create a ReFS drive, the file system driver is installed and active. Many modern Windows features, such as Storage Spaces, development tools, and certain backup software, use ReFS under the hood. So your everyday laptop or desktop—not just a data center server—is a viable target.

For enterprises, the risk is magnified. ReFS is often the backbone of file servers, virtual machine storage, and backup repositories. A successful compromise on one of those systems could let an attacker corrupt backups, tamper with virtual hard disks, or move laterally across the network.

How an attacker might deliver the exploit

Because user interaction is required, the attacker must trick someone into making Windows process the malicious ReFS content. Common delivery methods include:

  • Email attachments: A ZIP archive containing a .vhd or .iso file that houses a ReFS volume. The user extracts and double-clicks the disk image to mount it.
  • Malicious websites: A download link offering a disk image, combined with social engineering (“click here to view the backup”).
  • Removable media: A USB drive pre-formatted with ReFS. Simply plugging it in and opening File Explorer could trigger the bug if Windows auto-mounts and attempts to read its contents.
  • Collaboration platforms: Files shared via SharePoint, Teams, or cloud storage that, once downloaded and opened, set off the chain of events.
No single indicator would alert the user that an image is booby-trapped. The file could look like any ordinary disk or backup file. Once the operating system parses the ReFS structures, the exploit can fire silently, potentially gaining SYSTEM-level privileges if the user has administrative rights.

The July 2026 patch: install this now

Microsoft fixed the flaw in its July 14, 2026, security updates. After applying the patch, your system should meet the following minimum build numbers to be considered safe:

Windows EditionFixed BuildKnown KB Article
Windows 11 24H226100.8875July 2026 Cumulative Update
Windows 11 25H226200.8875July 2026 Cumulative Update
Windows 11 26H128000.2525July 2026 Cumulative Update
Windows 10 22H219045.7548July 2026 Cumulative Update
Windows 10 21H219044.7548July 2026 Cumulative Update
Windows 10 1809 / Server 201917763.9020KB5099538
Windows 10 1607 / Server 201614393.9339KB5099535
Windows Server 202220348.5386July 2026 Cumulative Update
Windows Server 202526100.33158KB5099536
The updates are available through all standard channels:
  • Windows Update (Settings > Windows Update) – for individuals and small businesses.
  • Microsoft Update Catalog – for manual download and deployment.
  • WSUS and Microsoft Configuration Manager – for managed enterprise environments.
After installation, a restart is required. Then verify your build number by running winver or checking Settings > System > About. The number should match or exceed the build listed for your version.

I can’t patch immediately—now what?

Microsoft has published no official workaround. The vulnerability lies in the ReFS driver, which is part of the operating system kernel; you can’t simply disable it without potentially destabilizing the system or losing functionality. However, until you can deploy the update, you can harden your environment with these risk-reduction measures:

  • Block disk image mounting: Use AppLocker or Group Policy to restrict execution of vhdsvc.dll or prevent users from mounting ISO and VHD files.
  • Filter attachments: Configure your email gateway to quarantine messages containing .vhd, .vhdx, .iso, and .img extensions.
  • Restrict removable media: Enforce policies that block USB mass storage or require encryption and approval.
  • Educate users: Warn staff not to open unsolicited disk images or insert unknown thumb drives.
None of these steps eliminate the vulnerability; they only make it harder for an attacker to deliver the payload. The definitive solution remains applying the July 2026 cumulative update.

The bigger picture: ReFS is everywhere

ReFS was introduced