CVE-2026-50305 is a Microsoft Brokering File System Use After Free elevation of privilege vulnerability affecting Windows 11 24H2, 25H2, 26H1, unspecified, and Windows Server 2025. Microsoft says successful exploitation could grant SYSTEM privileges. The CVSS v3.1 score is 7.8 (HIGH), with a local attack vector, low attack complexity, low privileges required, no user interaction, and unchanged scope. Microsoft reports no public disclosure and no known exploitation; exploit code maturity is unproven. Because this is a local privilege escalation issue, it is more relevant to systems where untrusted local code or users can run than to network-exposed services. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. Microsoft states successful exploitation could gain SYSTEM privileges. - Exploitation likelihood: Exploitation Less Likely; vector is LOCAL with LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High severity by CVSS, but real-world exposure is limited by the local-only attack vector. Higher concern on systems where local code execution or lower-privileged user access is available. - Patch status: available Affected systems: - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025