CVE-2026-50494 is a Windows NTFS heap-based buffer overflow that can lead to remote code execution. Microsoft lists the CVSS v3.1 base score as 7.8 (High) with a temporal score of 6.8; the vector is local access, low attack complexity, low privileges required, no user interaction, and unchanged scope (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Microsoft says the issue is not publicly disclosed and not exploited, with exploit code maturity marked unproven. Because the attack vector is local rather than network-based, enterprise risk is driven more by internal/local execution paths than by direct remote exposure. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; local attack vector, LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High severity overall, but lower enterprise exposure than a network-reachable RCE because the vector is local-only; risk is more relevant where local execution by untrusted users or code is possible. - Patch status: available Affected systems: - Windows 10 1607 - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025