{
"title": "A Heap Overflow in Windows ReFS Could Give Hackers Full Control—Here’s the Fix",
"content": "On July 14, 2026, Microsoft patched a serious vulnerability in the Windows Resilient File System (ReFS) that could allow an attacker to take complete control of a PC or server simply by tricking a user into opening a malicious disk image or file. The flaw, tracked as CVE-2026-50362, is a heap-based buffer overflow that carries a CVSS score of 7.8 and affects nearly every supported version of Windows, from Windows 10 1607 to Windows 11 26H1 and Windows Server 2016 through 2025.
The update is part of the July 2026 Patch Tuesday release. While Microsoft has not observed any active attacks exploiting this bug, the ease with which it could be abused—no prior access privileges are required—makes it a priority for both home users and IT administrators.
What exactly was patched?
CVE-2026-50362 is classified as CWE-122, a heap-based buffer overflow. In a heap overflow, a program writes more data into a chunk of memory allocated on the heap than that chunk can safely hold. The extra data spills over into adjacent memory, which could overwrite pointers, function pointers, or other critical control structures. An attacker who can control what gets written and where can hijack the program’s execution and run arbitrary code.
In this case, the vulnerable component is part of Windows’ handling of the ReFS file system. When the operating system processes a ReFS volume—such as when it mounts a disk or reads a file—a parsing routine oversteps its buffer boundaries. If the ReFS metadata has been maliciously crafted, the overflow can give an attacker the ability to execute code with the same privileges as the current user.
Microsoft rates the attack complexity as low and states that no privileges are required to craft the payload. However, the attack vector is local, not network-based. The official CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That breaks down as:
- Attack Vector: Local – the attacker must present the malicious content to the system locally (e.g., via a file or removable media).
- Attack Complexity: Low – no special conditions must exist for the exploit to succeed.
- Privileges Required: None – the attacker does not need a user account on the target.
- User Interaction: Required – a victim must open or mount the crafted file system.
- Scope: Unchanged – the exploit runs within the same security context.
- Impact: High for Confidentiality, Integrity, and Availability – complete compromise.
Who should be concerned?
The list of affected products is extensive. Every currently supported Windows client and server SKU includes the ReFS driver, and all are vulnerable below their respective fixed builds:
- Windows 11 24H2 (Home, Pro, Enterprise, etc.)
- Windows 11 25H2
- Windows 11 26H1
- Windows 10 22H2
- Windows 10 21H2
- Windows 10 1809 (including LTSC 2019)
- Windows 10 1607 (including LTSC 2016)
- Windows Server 2025 (all editions, including Server Core)
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
For enterprises, the risk is magnified. ReFS is often the backbone of file servers, virtual machine storage, and backup repositories. A successful compromise on one of those systems could let an attacker corrupt backups, tamper with virtual hard disks, or move laterally across the network.
How an attacker might deliver the exploit
Because user interaction is required, the attacker must trick someone into making Windows process the malicious ReFS content. Common delivery methods include:
- Email attachments: A ZIP archive containing a
.vhdor.isofile that houses a ReFS volume. The user extracts and double-clicks the disk image to mount it. - Malicious websites: A download link offering a disk image, combined with social engineering (“click here to view the backup”).
- Removable media: A USB drive pre-formatted with ReFS. Simply plugging it in and opening File Explorer could trigger the bug if Windows auto-mounts and attempts to read its contents.
- Collaboration platforms: Files shared via SharePoint, Teams, or cloud storage that, once downloaded and opened, set off the chain of events.
The July 2026 patch: install this now
Microsoft fixed the flaw in its July 14, 2026, security updates. After applying the patch, your system should meet the following minimum build numbers to be considered safe:
| Windows Edition | Fixed Build | Known KB Article |
|---|---|---|
| Windows 11 24H2 | 26100.8875 | July 2026 Cumulative Update |
| Windows 11 25H2 | 26200.8875 | July 2026 Cumulative Update |
| Windows 11 26H1 | 28000.2525 | July 2026 Cumulative Update |
| Windows 10 22H2 | 19045.7548 | July 2026 Cumulative Update |
| Windows 10 21H2 | 19044.7548 | July 2026 Cumulative Update |
| Windows 10 1809 / Server 2019 | 17763.9020 | KB5099538 |
| Windows 10 1607 / Server 2016 | 14393.9339 | KB5099535 |
| Windows Server 2022 | 20348.5386 | July 2026 Cumulative Update |
| Windows Server 2025 | 26100.33158 | KB5099536 |
- Windows Update (Settings > Windows Update) – for individuals and small businesses.
- Microsoft Update Catalog – for manual download and deployment.
- WSUS and Microsoft Configuration Manager – for managed enterprise environments.
winver or checking Settings > System > About. The number should match or exceed the build listed for your version.I can’t patch immediately—now what?
Microsoft has published no official workaround. The vulnerability lies in the ReFS driver, which is part of the operating system kernel; you can’t simply disable it without potentially destabilizing the system or losing functionality. However, until you can deploy the update, you can harden your environment with these risk-reduction measures:
- Block disk image mounting: Use AppLocker or Group Policy to restrict execution of
vhdsvc.dllor prevent users from mounting ISO and VHD files. - Filter attachments: Configure your email gateway to quarantine messages containing
.vhd,.vhdx,.iso, and.imgextensions. - Restrict removable media: Enforce policies that block USB mass storage or require encryption and approval.
- Educate users: Warn staff not to open unsolicited disk images or insert unknown thumb drives.
The bigger picture: ReFS is everywhere
ReFS was introduced