CVE-2026-50388 is an Out-of-bounds Read vulnerability in Windows NTFS that Microsoft classifies as a Remote Code Execution issue. It has a CVSS v3.1 base score of 7.8 (High) and a temporal score of 6.8. The vector is local access with low attack complexity, no privileges required, and user interaction required (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Microsoft reports no public disclosure and no known exploitation, with exploit code maturity marked UNPROVEN. Because the attack is local and requires user interaction, the enterprise risk is lower than a network-reachable, no-interaction flaw, but it still matters for systems where users can be induced to open malicious content on affected Windows hosts. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; vector context is LOCAL with LOW attack complexity, NO privileges required, and USER INTERACTION required. - Severity for enterprise: High severity by CVSS, but real-world enterprise exposure is reduced by the local-only vector and required user interaction; risk is more relevant on endpoints and server systems where users can run untrusted content. - Patch status: available; customer action is required. Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025