Microsoft has patched a serious vulnerability in Windows’ Resilient File System that could let attackers run malicious code on a fully updated PC—if they can convince a user to open a booby-trapped file. The flaw, tracked as CVE-2026-50501, was fixed in the July 14, 2026 Patch Tuesday updates and affects Windows 11 versions 24H2, 25H2, and 26H1, plus Windows Server 2025 and its Server Core variant. While no active attacks have been spotted yet, the low complexity of exploitation and high potential impact make this a patch you can’t afford to skip.

What Actually Changed: The Patch Details

At its core, CVE-2026-50501 is a stack-based buffer overflow (CWE-121) in the ReFS driver. Microsoft’s advisory gives it a CVSS 3.1 score of 7.8, putting it in the “Important” category. The attack vector is local (AV:L), requiring user interaction, but it needs no prior privileges and can lead to full system compromise—confidentiality, integrity, and availability all take a hit.

Three distinct cumulative updates deliver the fix. For Windows 11 24H2 and 25H2, KB5101650 brings builds to 26100.8875 and 26200.8875 respectively. The hardware-specific Windows 11 26H1 gets KB5101649, moving to build 28000.2525. Windows Server 2025—both Desktop Experience and Server Core—receives KB5099536, landing on build 26100.33158. All are available through Windows Update, WSUS, and the Microsoft Update Catalog.

A quick reference for the affected builds:

Product Fixed Build Update KB
Windows 11 24H2 26100.8875 or later KB5101650
Windows 11 25H2 26200.8875 or later KB5101650
Windows 11 26H1 28000.2525 or later KB5101649
Windows Server 2025 (all editions) 26100.33158 or later KB5099536

Server Core is explicitly listed as affected, so removing the graphical interface doesn’t sidestep the issue. The vulnerability lives deep in the file system code, not in a user-facing app.

What the Vulnerability Means for Your Machine

Don’t let the “Remote Code Execution” label fool you—this isn’t a wormable network threat. The CVSS vector tells a more precise story: an attacker needs local access or must trick you into interacting with something malicious. That could be mounting a crafted virtual hard disk, opening a specially formatted ReFS volume from a USB drive, or perhaps even double-clicking a file that triggers the overflow. Microsoft hasn’t spelled out the exact trigger, so any scenario where untrusted content touches the ReFS driver is a potential risk.

For home users, the main danger is accidentally opening something nasty from a download or removable media. If you’re running Windows 11 24H2, 25H2, or a device with 26H1, you’re in scope, even if you’ve never deliberately formatted a drive with ReFS. The vulnerable component is part of the OS, and an attacker doesn’t need you to have ReFS as your primary file system.

For businesses, Windows Server 2025 is the bigger worry. These machines often manage storage pools, Hyper-V virtual disks, and large data volumes—all of which can involve ReFS. A compromise here could ripple across an entire infrastructure. Because the bug requires user interaction, an attacker might target an administrator who opens a tainted file on a management workstation, then pivot to servers. Even without active exploitation, the low attack complexity means it’s a tempting target for social engineering.

Microsoft hasn’t documented any workarounds or configuration switches that fully neutralize the vulnerability. You can’t just disable ReFS or block certain file extensions and call it safe. The only sure fix is the update.

How We Got Here: ReFS Under the Microscope

ReFS is Microsoft’s modern file system, designed for data integrity, scalability, and resilience. It’s a workhorse behind Storage Spaces Direct, Hyper-V, and backup targets. Because it operates at a low level in the kernel, a memory corruption bug there can hand an attacker complete control.

CVE-2026-50501 isn’t a one-off. The July 2026 update cycle includes a cluster of ReFS-related vulnerabilities, many with similar 7.8 scores, according to the Zero Day Initiative’s Patch Tuesday review. A stack-based buffer overflow like this usually happens when the driver mishandles the size of an input buffer, overwriting adjacent memory. With no privileges needed, an exploit could escalate from zero to SYSTEM in a single step, though the user-interaction requirement makes it less alarming than a true remote, unaided attack.

The timeline is tight: Microsoft disclosed the bug and released the fix on the same day, with no prior public knowledge. That’s standard for Patch Tuesday, but it leaves defenders little time to prepare. The CVSS temporal score may rise if a proof-of-concept appears, but for now, the lack of known exploitation keeps the urgency just below “drop everything.”

Steps to Secure Your Systems Now

  1. Verify your OS build. A speedy way: hit Win+R, type winver, and check the number against the table above. For bulk checks, use PowerShell or your inventory tool to compare against the fixed builds.
  2. Deploy the update. Home users can head to Settings > Windows Update and install all available patches. Enterprise admins should push the relevant KB through WSUS, Microsoft Intune, or Azure Update Manager.
  3. Prioritize servers first. Start with Windows Server 2025 systems that handle storage, virtualization, or backups. Then target administrative workstations and any Windows 11 devices that routinely deal with untrusted files, downloaded VHDs, or removable media.
  4. Test before mass rollout. If you manage a fleet, sandbox KB5099536 on a non-critical server. Check storage spaces, deduplication, clustering, and disaster-recovery workflows. Microsoft’s notes mention a known WSUS reporting snag, but not a compatibility problem specific to this fix.
  5. Don’t wait for a proof-of-concept. The low attack complexity means once a sample appears, weaponization could follow quickly. Patching now shrinks your exposure window.

Remember, merely accepting the update in Windows Update isn’t enough—you need to confirm the new build is installed. A reboot is required after deployment.

What Comes Next

With multiple ReFS fixes landing in one month, it’s worth watching for more detailed technical write-ups from security researchers. A public proof-of-concept could emerge, which might shift the risk calculus, especially for servers that can’t be patched immediately. Microsoft and CISA currently assess it as not easily automatable, but that could change if the delivery mechanism becomes clearer.

For now, the playbook is simple: get to the fixed builds, keep untrusted files away from sensitive systems, and treat this as a dry run for future file-system patches. The July updates are cumulative, so once you’re on the right build, you’re protected against all the ReFS fixes in this release—not just CVE-2026-50501.