Microsoft has patched a vulnerability in Windows File Explorer that could allow someone with a local account on your PC to read private data they shouldn’t have access to. The fix arrived with the July 14, 2026 Patch Tuesday updates and addresses CVE-2026-40422, an information-disclosure flaw rated Important by Microsoft.
The bug sits deep in File Explorer’s handling of system memory. When exploited, it can leak information to an attacker who already has a foothold on your machine—even a low-privileged one. Microsoft’s advisory says no active attacks have been spotted, and the technical barrier for exploitation remains high, but the patch removes the risk entirely.
What’s Actually Wrong with File Explorer
CVE-2026-40422 falls into a category of software flaws known as use of uninitialized resource (CWE-908). In plain terms, File Explorer sometimes reaches into a block of computer memory before that memory has been properly cleared of its previous contents. Think of it like renting a storage locker, finding a stack of someone else’s old letters still inside, and being able to read them.
An attacker who exploits this flaw can see those leftover fragments. Microsoft hasn’t specified exactly what data might be exposed—it could be anything from harmless cache entries to snippets of file paths, tokens, or configuration details that help an intruder map out the system. Because the bug doesn’t corrupt files, give full system control, or let a remote hacker break in, it earned a CVSS base score of 5.5 out of 10. That’s medium severity, with a temporal score of 4.8 reflecting the current lack of public exploits or active attacks.
But don’t let the modest number lull you. Information-disclosure bugs are often used as stepping stones in larger attack chains. A bad actor with limited access could gather intelligence that makes a second, more dangerous exploit easier to pull off. The scoring also reveals a troubling detail: once the attacker has that local foothold, no clicks from you are needed. They can exploit the flaw silently, without tricking anyone into opening a file or folder.
Who Should Worry Most
The attack requirements narrow the real-world risk considerably. CVE-2026-40422 is strictly local—the attacker must already have an authorized account on your PC, whether through a stolen password, a misconfigured guest profile, or some other initial breach. That means the typical home user with a single, well-protected account faces little danger.
Scenarios where the vulnerability matters more:
- Shared family or workplace computers where multiple people log in with different user profiles. Someone with a limited “standard user” account could potentially harvest data from another user’s session.
- Kiosks, lab machines, or jump servers that handle sensitive administrative work or let many people run programs locally.
- Enterprise environments where an attacker has already compromised a low-level employee’s credentials and is searching for paths to more valuable files or higher privileges.
For managed IT fleets, this is not a drop-everything emergency, but it’s also not a patch to postpone. The advisory carries Microsoft’s “Exploitation Less Likely” label, but administrators know that landscape can shift quickly once a fix is reverse-engineered. Applying the July 14 cumulative update should be part of your normal Patch Tuesday rollout.
The Fix Arrives in a Cumulative Update
CVE-2026-40422 isn’t patched through a standalone download. It’s baked into the July 2026 monthly security rollup. For Windows 11 versions 24H2 and 25H2, that means KB5101650, which bumps the OS builds to 26100.8875 and 26200.8875 respectively. Older supported platforms—including Windows Server and any remaining Windows 10 editions under extended servicing—get their own separate cumulative packages.
Because these are cumulative updates, they also carry all other security patches released that month. That’s efficient but requires careful testing. Among the changes bundled in KB5101650 are adjustments to Secure Boot certificates, updates to the bundled curl tool, and networking hardening that could trip up third-party firewall or VPN drivers. IT teams should verify compatibility with shell extensions, backup software, and security tools before pushing the update broadly.
Microsoft hasn’t released a workaround for CVE-2026-40422, so skipping the cumulative update or disabling File Explorer features isn’t a reliable fix. The only sure remedy is to install the patch.
How to Protect Your System
For everyday users
- Open Windows Update (Settings > Windows Update on Windows 11) and click Check for updates.
- Download and install the July 2026 cumulative update. If you see “KB5101650” for Windows 11, that’s the one.
- Reboot when prompted, then verify the installation: go to Settings > System > About and confirm the OS build number matches 26100.8875 (24H2) or 26200.8875 (25H2).
- If you use a shared PC, consider reviewing which accounts have access. Remove old or unnecessary profiles to reduce the attack surface.
For IT administrators
- Deploy after testing: Roll out the July cumulative update to a pilot group and check for conflicts with line-of-business apps, endpoint protection, and network tools. Pay special attention to any software that integrates with File Explorer via shell extensions.
- Prioritize multi-user systems: Workstations, terminal servers, and jump boxes where many users log in interactively should be patched first.
- Verify, don’t assume: Use vulnerability scanners or build number checks to confirm deployment. A “successful” update scan isn’t enough; actual OS builds can lag behind for many reasons.
- Track exceptions: If you must delay patching for a subset of machines because of compatibility holds, document the exception and set a deadline for resolution.
- Monitor the advisory: Microsoft’s write-up for CVE-2026-40422 may be updated if the threat landscape changes. Bookmark it and check back periodically.
Looking Ahead
For now, CVE-2026-40422 is a fixed vulnerability with no known in-the-wild exploitation. But security history shows that once a patch is public, the clock starts ticking. Researchers and threat actors alike will dissect the update to understand the exact flaw, and working proof-of-concept code often follows within days or weeks.
Applying the July 2026 update locks the door while the risk is still theoretical. That’s the safest approach—especially on systems where multiple users or sensitive data coexist. Microsoft’s next month of patches may bring the urgent zero-day that keeps IT teams up at night. Today, you have the luxury of a controlled, testable fix. Use it.