CVE-2026-50501 - Windows Resilient File System (ReFS) Remote Code Execution Vulnerability - is a stack-based buffer overflow in ReFS that can lead to remote code execution. Microsoft rates it High with a CVSS v3.1 base score of 7.8 and temporal score of 6.8. The vector is LOCAL, LOW attack complexity, NO privileges required, and USER INTERACTION is REQUIRED, so it is not a network-reachable, no-interaction issue. Microsoft reports no public disclosure and no exploitation, with exploit code maturity UNPROVEN and exploitation unlikely. The affected Windows versions are desktop and server releases, so enterprise risk is primarily to systems where a local attacker or user-mediated interaction is possible. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Unlikely; vector is LOCAL with LOW attack complexity, NO privileges required, and USER INTERACTION REQUIRED. - Severity for enterprise: High according to CVSS, but real-world enterprise exposure is lower than network-based RCE because exploitation is local and requires user interaction. Risk is more relevant on hosts where untrusted local access or user-driven file handling is possible. - Patch status: available Affected systems: - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025