Microsoft’s July 14, 2026 security updates correct a high-severity vulnerability in the Windows NTFS file system that could let a low-level attacker take full control of an unpatched machine. Tracked as CVE-2026-56175, the flaw is a heap-based buffer overflow that scores a 7.8 out of 10 on the CVSS scale, demanding urgent attention from system administrators.

A flaw baked into the heart of Windows

The vulnerability sits inside NTFS, the default file system on every modern Windows client and server. According to Microsoft’s Security Response Center, an attacker who can run code locally—even from a standard user account—can exploit the bug to elevate privileges without any user interaction. The National Vulnerability Database classifies it as CWE-122, a heap-based buffer overflow.

The CVSS 3.1 vector tells the story in shorthand: attack complexity is low, no user interaction is required, and privileges required are low. Successful exploitation compromises confidentiality, integrity, and availability completely. In plain English, that means a cybercriminal or penetration tester who already has a tiny foothold on your system can use this bug to grab administrative rights, steal credentials, disable security tools, and move laterally across your network.

Crucially, this is not a remote code execution flaw. An attacker needs to be on the box already—through phishing, an unpatched application, a stolen standard user credential, or a malware with limited rights. But once that beachhead is established, CVE-2026-56175 turns a minor incursion into a full-blown catastrophe.

Who’s affected? A patchwork of Windows versions

This month’s fix spans an unusually broad set of releases. Every supported Windows version—from recent Windows 11 builds all the way back to Windows Server 2012 and Windows 10 version 1607—gets a patch. Even Windows 10 machines that lost free support on October 14, 2025 become eligible if they are enrolled in Extended Security Updates (ESU).

For IT teams, the only reliable way to confirm protection is to check the operating system build number after the July cumulative update installs. Here are the minimum builds you should see:

Windows edition Fixed build or later Corresponding KB
Windows 11 version 24H2 26100.8875 KB5101650
Windows 11 version 25H2 26200.8875 KB5101650
Windows 11 version 26H1 28000.2525 (included in cumulative)
Windows 10 version 21H2 19044.7548 KB5099539
Windows 10 version 22H2 19045.7548 KB5099539
Windows Server 2022 20348.5386 KB5099540
Windows Server 2025 26100.33158 (included in cumulative)
Windows Server 2019 / Windows 10 1809 17763.9020 (included in cumulative)
Windows Server 2016 / Windows 10 1607 14393.9339 (included in cumulative)
Windows Server 2012 R2 9600.23291 (included in monthly rollup)
Windows Server 2012 9200.26226 (included in monthly rollup)

Note that Windows 10 versions 21H2 and 22H2 require an active ESU agreement; without it, those devices will not receive the July security update even though the fix exists. The same caution holds for Windows 10 LTSC 2021 and IoT Enterprise LTSC 2021—they get the patch via KB5099539 only if support is active.

Patch first, verify second

Installing the update is just step one. Microsoft’s July Windows 11 release notes flag a temporary availability hold on KB5101650 for a limited set of Dell PCs with Intel processors. Those systems may exhibit shutdown issues, performance degradation, excess heat, or accelerated battery drain after applying the update. As a result, admins may find some endpoints stuck on older builds until Dell and Microsoft resolve the block—a reminder to verify build numbers rather than trusting that Windows Update “succeeded.”

A separate advisory warns of a potential BitLocker recovery prompt on Windows Server 2022 machines if a nonstandard PCR7 Group Policy configuration is in place. Microsoft recommends auditing that policy and checking Secure Boot PCR7 binding before rolling out the update across a server fleet. It is not a workaround for CVE-2026-56175, merely an operational gotcha that could trigger unnecessary recovery phone calls.

For managed environments, the safest sequence is to approve the cumulative update, deploy it to a representative test ring, restart fully, and then validate both the KB and OS build through Microsoft Intune, Microsoft Configuration Manager, or any third‑party inventory tool. A device that downloads the update but hasn’t rebooted is still vulnerable.

The long tail of NTFS vulnerabilities

NTFS has been a pillar of Windows since 1993. Its complexity—supporting compression, encryption, quotas, symbolic links, and a host of other features—means that parsing bugs and memory-corruption flaws surface periodically. Microsoft routinely patches privilege‑escalation issues in the file‑system driver during its monthly Patch Tuesday cycle.

What distinguishes CVE-2026-56175 is its sheer scope and the absence of any mitigation. Unlike many advisories that offer workarounds—disable a service, add a registry key, tighten firewall rules—this one offers none. Restricting local logon rights, using least‑privilege accounts, and maintaining solid endpoint detection can reduce the chances of an attacker reaching the vulnerable code path, but none of those actions eliminate the underlying defect. Patching is the only durable fix.

What you need to do right now

Home users who rely on Windows Update can breathe a little easier: the patch will install automatically, and a simple check of the build number in Settings > System > About provides peace of mind. If you see a build number matching or exceeding the table above, you’re protected.

IT administrators face a heavier lift. Here’s a practical order of operations:

  1. Audit your estate. Identify any Windows 10 machines still running on free support. Those must be enrolled in ESU or upgraded to Windows 11 before they can receive this fix.
  2. Review Dell hold notifications. If your fleet includes Intel‑based Dell PCs, check whether KB5101650 is blocked. Deploy to a small subset first and monitor for thermal or performance complaints.
  3. Check BitLocker configuration on Server 2022. Run the Microsoft‑provided script to audit PCR7 binding and adjust Group Policy if needed before patching.
  4. Push the July cumulative update through your standard patch‑management tool, ensuring that all servers and workstations reboot afterward.
  5. Validate compliance. Use your inventory system to scan for the required build numbers. Flag any device that hasn’t restarted or has fallen back to an older baseline.
  6. Watch for exploitation signals. While no active attacks have been detected, Patch Tuesday itself often triggers reverse‑engineering attempts. Ensure endpoint detection and response (EDR) sensors are tuned to spot privilege‑escalation attempts.

The absence of a workaround means that delaying the patch carries a clear risk. Defenders should prioritize deployment roughly in line with the CVSS score of 7.8—high, but not the highest possible. In practice, that means rolling it out during your next standard change window rather than an emergency break‑fix cycle.

Looking ahead

CVE-2026-56175 isn’t the sole security story from July 2026—Microsoft’s release notes address dozens of flaws across its ecosystem. But because it touches the universal file system on every supported Windows machine, it will likely draw attention from both security researchers and adversaries in the weeks following Patch Tuesday. The absence of a workaround keeps the spotlight on patching, and the broad product list turns it into a useful compliance benchmark.

Keep an eye on Microsoft’s Security Response Center for any updates to the advisory, particularly if the exploitation assessment changes or if proof‑of‑concept code surfaces. For now, the safest posture is simple: check your build, confirm it crosses the fixed threshold, and mark one more risk off your list.