Microsoft’s July 14, 2026 security updates stamp out a high-severity vulnerability in Windows that could allow a locally authenticated attacker to grab complete control of an affected PC. The flaw, tracked as CVE-2026-57091, hides in the File History Service and earned a CVSS score of 7.8, signaling a serious but not critical threat that demands swift patching.

The Fix Arrives in July’s Cumulative Updates

The remedy comes bundled in the monthly cumulative updates shipped on July 14. There’s no standalone hotfix; you get the repair automatically when you install the latest patch for your version of Windows. Microsoft published the advisory on its Security Response Center (MSRC) as part of its regular Patch Tuesday cadence.

Here are the updates that close this loophole:

  • Windows Server 2016: KB5099535
  • Windows 10 version 1809 and Windows Server 2019: KB5099538
  • Windows 10 version 21H2 and 22H2: KB5099539
  • Windows Server 2022: KB5099540
  • Windows 11 version 23H2: KB5099414
  • Windows 11 versions 24H2 and 25H2: KB5101650
  • Windows 11 version 26H1: KB5101649 (build 28000.2525)
  • Windows Server 2025: KB5099536 (build 26100.33158)

All these updates are available through Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.

A Technical Breakdown: How the Vulnerability Works

The weakness is a classic stack-based buffer overflow (CWE-121) in the File History Service. When the service processes specially crafted input, it writes more data to a fixed-size memory buffer than it should, corrupting adjacent memory. An attacker who can trigger this overflow could redirect program execution and run arbitrary code with SYSTEM privileges.

Microsoft’s advisory notes that exploitation requires no user interaction beyond the attacker already having a valid account on the machine. The attack complexity is low, meaning a skilled adversary can likely craft a reliable exploit. The impact is broad: confidentiality, integrity, and availability all take a high hit. In lay terms, an attacker could read any file, install malware, create new accounts, disable security tools, or even erase data—all with the highest level of access Windows grants.

Because File History is enabled by default on many consumer PCs and often configured on enterprise devices, the service runs even if you never open the backup settings. That invisibility is what makes this patch important for everyone, not just those actively using the feature.

Affected Versions: From Old Windows 10 to the Newest 11

CVE-2026-57091 spans an unusually large set of Windows releases. Microsoft confirms the following are vulnerable:

  • Windows 10 version 1607 (the original long-term servicing branch)
  • Windows 10 version 1809
  • Windows 10 versions 21H2 and 22H2
  • Windows 11 versions 23H2, 24H2, 25H2, and 26H1
  • Windows Server 2016, 2019, 2022, and 2025

If your PC or server runs any of these and you haven’t installed the July 2026 cumulative update, you are exposed. Even older versions no longer receiving updates are technically affected, but Microsoft will not provide patches for out-of-support releases—a nudge to upgrade if you’re holding onto a legacy OS.

For Home Users: What This Means for Your PC

If you’re a regular Windows user, you don’t need to panic, but you should act. The vulnerability requires an attacker to already be logged into your computer. That could happen if malware sneaks onto your system through a phishing email, a dubious download, or a compromised remote access application. Once that malware runs with your limited user rights, it could use CVE-2026-57091 to jump to SYSTEM privileges, bypassing any defenses that rely on user account boundaries.

The good news: applying the update is as simple as checking Windows Update, installing the latest cumulative patch, and restarting. For most users, this will happen automatically with automatic updates enabled. But if you’ve paused updates or delayed reboots, now is a great time to let the patch through.

You don’t need to tweak File History settings. Turning off the service might seem like a temporary shield, but it can break your backup routine and isn’t a proper substitute for the patched binaries.

For IT Admins: Prioritizing the Patch

IT departments should treat this as a high-priority update, particularly for environments where multiple users share machines or remote desktop services are running. Systems like jump hosts, virtual desktop infrastructure (VDI) pools, and developer workstations are prime targets because they often have many different logged-in accounts—some of which could be compromised.

Since there’s no known active exploitation yet, you can follow normal deployment rings: test the update on a representative subset, then roll out widely. But don’t dawdle. The public disclosure of the vulnerability gives researchers and attackers enough clues to reverse-engineer the fix and develop exploits. Past Patch Tuesdays have shown that reliable privilege-escalation exploits can appear within days of a patch release.

Before deploying, verify that your scanning tools and patch management systems recognize the appropriate KB numbers. Some older Windows 10 builds (like 1607) might need the latest servicing stack update first. After installation, check that the system reports the build number listed above—a downloaded update doesn’t mean the system is safe if it’s still waiting for a restart.

Also, take a moment to review user privileges across your fleet. Privilege escalation gets its bite from local accounts with too many rights. Enforce least privilege, block users from installing unauthorized software, and restrict execution from user-writable folders. These steps won’t directly patch the bug, but they shrink the attack surface that an exploit needs.

The Road to the Patch: Context and Considerations

File History has been a part of Windows since Windows 8, designed as a simpler alternative to previous backup tools. It automatically saves snapshots of files in libraries, desktop, contacts, and favorites to an external drive or network location. The service lurks in the background, quietly doing its job, making it an attractive target for researchers looking for persistent, always-on components.

Stack-based buffer overflows, while less common today thanks to modern mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), can still crop up when developers mishandle input validation. The fact that this flaw exists in a mature Windows service underscores why monthly patching remains critical even for systems that feel locked down.

Microsoft’s bulletin scores the vulnerability with a CVSS vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The low privileges required (authenticated user) and the local attack vector mean this is a post-compromise amplification tool—not a remote break-in method. Attackers use such vulnerabilities to deepen their grip after gaining initial access, often as part of a multi-stage assault that leads to ransomware deployment or data theft.

At the time of the July release, Microsoft reported no public disclosure or evidence of active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) hasn’t flagged it for urgent federal action, but its own SSVC scoring notes the technical impact as “total.” That’s a reminder that while the immediate risk is lower than a zero-day under active attack, the potential damage is just as severe.

Immediate Steps to Protect Your System

  1. Run Windows Update
    Open Settings > Windows Update and click “Check for updates.” Download and install any pending updates, then restart your device. The patch will be listed as a cumulative update with one of the KB numbers above.

  2. Verify the install
    After rebooting, go to Settings > System > About and confirm your OS build matches the patched version. Or run winver from a command prompt.

  3. Don’t rely on workarounds
    Microsoft hasn’t provided any mitigation for CVE-2026-57091. Disabling the File History service (fhservice) is technically possible, but it could stop your backup from running and may cause side effects. Only consider it as a last resort in isolated environments where you can’t apply the update immediately, and restore the service afterward.

  4. Strengthen your defenses
    Since this bug requires local access, review who can log into your machine. For businesses, enable multi-factor authentication, restrict remote desktop access, and monitor for suspicious process activity. For individuals, avoid running unknown executables and keep your antivirus active.

Outlook: Staying Ahead of Exploitation

Microsoft’s July 2026 Patch Tuesday closed many other vulnerabilities, but CVE-2026-57091 stands out for its combination of high impact and low exploitation barriers. With no public exploit yet, this is a grace period. Security researchers will soon start comparing patched and unpatched versions of the File History service to understand the flaw—and that knowledge will eventually trickle into the hands of cybercriminals.

For the average Windows user, this is just another Tuesday: install the update, reboot, and move on. For administrators, it’s a reminder that even background services we rarely think about can become stepping stones for attackers. The single most effective defense remains prompt patching. As always, the next Patch Tuesday will bring another batch of fixes, but today’s task is clear: apply the July 2026 cumulative update and close the door on CVE-2026-57091.