Microsoft’s July 2026 security update fixes a quiet but noteworthy flaw in the Windows Overlay Filter, a file-system component that could accidentally hand local users data they aren’t supposed to see. The vulnerability—CVE-2026-50409—earned a 5.5 Medium severity rating, yet its ability to disclose confidential information makes it a priority for any system where multiple people can log in.

What Got Fixed in the July 2026 Update

The fix lands via the July 14 Patch Tuesday cumulative updates for a sweeping list of Windows releases: Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025. At the heart of the problem is the Windows Overlay Filter driver (Wof.sys), software that sits close to the file system and helps manage compressed or externally backed data like Windows Imaging Format (WIM) files.

Microsoft’s advisory doesn’t spell out the exact nature of the disclosure. It says only that a locally authenticated attacker with low privileges could exploit the flaw to read information that should be off-limits. No user interaction is required, and the attack complexity is rated low. The CVSS vector tells the story: AV:L (local), AC:L (low complexity), PR:L (low privileges), UI:N (no user interaction), S:U (no scope change), C:H (high confidentiality impact), I:N (no integrity impact), A:N (no availability impact).

In plain English, an attacker already logged into a machine—even as a standard user—could run a program that peeks at protected data. That could be anything from filenames and directory structures to memory contents or secret tokens. Because the vulnerability lives in a filter driver that sits beneath applications, it could let a user bypass permissions that higher-level software assumes are rock solid.

The patch arrived as part of the regular cumulative update cycle. No separate hotfix is needed. The table below lays out the corrected builds for each affected edition.

Windows Version / Edition Fixed Build Key KB Article
Windows 11 24H2 26100.8875 KB5101650
Windows 11 25H2 26200.8875 KB5101650
Windows 11 26H1 28000.2525 Included in CU
Windows 10 21H2 19044.7548 Included in CU
Windows 10 22H2 19045.7548 Included in CU
Windows 10 1809 / Server 2019 17763.9020 Included in CU
Windows 10 1607 / Server 2016 14393.9339 Included in CU
Windows Server 2022 20348.5386 KB5099540
Windows Server 2025 26100.33158 KB5099536

What the Patch Means for You (by User Type)

Home Users: If your PC is used only by you and your trusted family, the risk is extremely low. The attacker must be logged in locally, so a remote hacker can’t reach this flaw from the internet. Still, every security update protects against future exploits, so installing the July update is good practice. One twist: a small number of Dell laptops with Intel processors might see the update blocked due to a separate compatibility issue involving overheating or battery drain. Microsoft is aware and working with Dell; if you own such a machine, wait for the green light rather than forcing the update.

IT administrators: This is where CVE-2026-50409 demands attention. On shared systems—think Remote Desktop Services hosts, virtual desktop infrastructure, terminal servers, developer workstations with multiple users, or student lab machines—a local information leak can escalate quickly. An attacker might chain this disclosure with another exploit to gain admin rights, steal credentials, or map the network. Microsoft rates the exploitation likelihood as “unproven” right now, but that can change once researchers publish details. Prioritize patching any system where less-trusted users have local accounts.

Developers and security researchers: The lack of a public proof-of-concept means you can’t write a detection signature yet. But you can verify that every machine in your test environment, build pipeline, or CI/CD farm is patched. The Windows Overlay Filter interacts with container images, compressed files, and Windows Sandbox environments—places where you might rely on file-system isolation. Don’t let an unpatched staging server become the weak link.

How Did We Get Here? The Overlay Filter’s Role

The Windows Overlay Filter isn’t a household name, but it’s been part of Windows for years. Its main job is to manage files that aren’t stored in the usual way: compacted files, Windows Imaging Format (WIM) files, and certain types of containerized storage all pass through its logic. The driver (Wof.sys) sits low in the stack, processing data between the storage device and the rest of the operating system.

Because filter drivers handle data for everyone, a slip-up can expose information that no individual application ever intended to share. Microsoft hasn’t disclosed what the bug was—perhaps a buffer overread, maybe a logic error that miscounts file boundaries—but the effect is that a low-privileged process could trick the filter into spilling secrets.

This isn’t the first time a driver-level information disclosure has been patched, and it won’t be the last. In fact, Microsoft fixed a different Windows Overlay Filter vulnerability (CVE-2023-36802) back in September 2023, which was also a local information disclosure with a 5.5 score. The pattern suggests that this component, though less visible, gets regular scrutiny from both Microsoft’s security team and external researchers.

What to Do Now: Your Action Plan

  1. Install the July 2026 cumulative update through your normal channel: Windows Update, WSUS, SCCM, Intune, or the Microsoft Update Catalog. The update will bring every affected machine to the fixed build automatically.
  2. Verify the build number—don’t assume success just because the update installed without errors. Open winver, run systeminfo, or check your endpoint management console. Match your build against the table above. For Server Core installations, use PowerShell: Get-ComputerInfo -Property WindowsProductName, WindowsVersion, OsBuildNumber.
  3. Check for Dell blocks. If you have Dell Intel-based systems, consult Microsoft’s Windows release health dashboard and Dell support for the compatibility hold. Do not force the update on those machines until the hold is lifted, as you may introduce overheating or performance problems.
  4. Scan offline images and deployment templates. Any gold image, VHDX, or backup that will be deployed later should be updated or patched before provisioning. Automated build pipelines should include a fresh cumulative update.
  5. Monitor for further disclosures. Microsoft may release a technical write-up after most users have patched. When they do, your security team should review any exploitation details and adjust detection rules accordingly.

The Bigger Picture: Routine Patching Still Matters

CVE-2026-50409 won’t make headlines like a critical remote code execution bug. But it’s a reminder that information disclosure flaws can be stepping stones for larger attacks. For now, there’s no panic—no active exploits, no public exploit code. That gives administrators a comfortable window to roll out the patches during the regular July update cycle. But delay too long, and the risk calculus changes once attackers have a roadmap.

The patching ecosystem this month also carries a lesson for Dell users: even routine updates can hit snags. The compatibility block affecting certain Dell Intel devices means that some organizations might have a patch gap until Microsoft and Dell resolve the underlying issue. Track those devices closely.

Looking ahead, expect Microsoft to publish more details on the vulnerability in its Security Research blog eventually. When that happens, the practical guidance may shift from “just patch” to “look for these traces of attack.” For now, patch and verify. That’s the clearest defense.