Administrators should hold CVE-2026-59117 in a verification queue rather than treat it as an immediately actionable Windows Terminal advisory. The Microsoft Security Response Center page supplied for the alleged “Windows Terminal Remote Code Execution Vulnerability” is dated July 16, 2026, but the public vulnerability records currently available do not corroborate its technical scope, severity, affected versions, exploit status, or a corresponding patch package.
That matters because Microsoft did publish a separate Windows Terminal remote code execution vulnerability two days earlier: CVE-2026-54124, released as part of the July 14, 2026 security updates. The similar product name makes a CVE-number mix-up entirely plausible, particularly for organizations ingesting advisory feeds automatically or triaging alerts from third-party scanners.
Microsoft’s Security Update Guide is the originating source for the CVE-2026-59117 entry cited here. However, its browser-delivered advisory page does not expose usable details without JavaScript, and no corroborating CVE record, National Vulnerability Database entry, Microsoft support article, or independent security reporting was publicly discoverable at publication time. That is not evidence that the CVE is invalid; it is evidence that the public record is not yet sufficient for reliable remediation decisions.
The vulnerability Windows administrators can verify today is CVE-2026-54124. Microsoft described it as an integer-overflow or wraparound issue in Windows Terminal that could allow an unauthorized attacker to execute code locally. The National Vulnerability Database lists it with a CVSS 3.1 score of 7.8, rated High, and a vector requiring local access and user interaction while requiring no prior privileges.
That distinction is important. “Remote code execution” is the Microsoft advisory’s impact label, but the public CVSS vector does not describe an unauthenticated network wormable flaw. A target must still be induced to handle attacker-controlled content or otherwise reach the vulnerable local execution path. This is closer to a malicious-file, malicious-link, or socially engineered workflow risk than a reason to assume that Terminal hosts are exposed directly to the internet.
The Zero Day Initiative’s July 2026 security-update review also categorized CVE-2026-54124 as Important rather than Critical and reported no known exploitation at release. The U.S. Cybersecurity and Infrastructure Security Agency’s SSVC enrichment similarly marked exploitation as none and automation as no. Those are snapshots, not guarantees, but they support a standard Patch Tuesday response rather than an emergency incident declaration.
Microsoft’s affected-product data for CVE-2026-54124 includes Windows Terminal builds earlier than 1.24.11321.0, along with supported Windows client and server releases receiving the July security updates. The listed operating-system cutoffs include:
This is especially relevant in vulnerability-management platforms that normalize Microsoft advisories into a common title. “Windows Terminal Remote Code Execution Vulnerability” is a product-impact description, not a unique identifier. Microsoft used the same naming convention for the earlier Windows Terminal issue, CVE-2022-44702, which was also a local, user-interaction-required flaw. The repetitive title format is useful for reading a bulletin but poor as the primary key for operational tracking.
The supplied July 16 timestamp also deserves careful treatment. It converts to 14:00 UTC on July 16, 2026. That is after the July 14 Patch Tuesday release that carried CVE-2026-54124, so an organization that already deployed the July cumulative updates may be covered against the confirmed Terminal vulnerability. It should not, however, automatically mark CVE-2026-59117 as remediated without Microsoft publishing a product and build mapping for that exact identifier.
For CVE-2026-54124, organizations should confirm that their July 14 updates are deployed through their normal Windows Update for Business, WSUS, Configuration Manager, or endpoint-management process. Windows 10 devices should report build 19045.7548 or 19044.7548 where applicable; Windows 11 24H2 devices should report 26100.8875 or later. Teams that package Windows Terminal separately should also inventory the installed Terminal version and ensure it is at least 1.24.11321.0.
For the uncorroborated CVE-2026-59117 entry, keep the following controls simple:
For now, the actionable Windows Terminal item remains CVE-2026-54124 and the July 14, 2026 cumulative-update baseline. If Microsoft fills in the CVE-2026-59117 record with distinct build numbers or a separate patch, that will establish whether it is a newly disclosed Terminal flaw, a late-published advisory, or simply an identifier that should never have been conflated with this week’s confirmed RCE fix.
That matters because Microsoft did publish a separate Windows Terminal remote code execution vulnerability two days earlier: CVE-2026-54124, released as part of the July 14, 2026 security updates. The similar product name makes a CVE-number mix-up entirely plausible, particularly for organizations ingesting advisory feeds automatically or triaging alerts from third-party scanners.
Microsoft’s Security Update Guide is the originating source for the CVE-2026-59117 entry cited here. However, its browser-delivered advisory page does not expose usable details without JavaScript, and no corroborating CVE record, National Vulnerability Database entry, Microsoft support article, or independent security reporting was publicly discoverable at publication time. That is not evidence that the CVE is invalid; it is evidence that the public record is not yet sufficient for reliable remediation decisions.
The Confirmed July Windows Terminal Fix Is CVE-2026-54124
The vulnerability Windows administrators can verify today is CVE-2026-54124. Microsoft described it as an integer-overflow or wraparound issue in Windows Terminal that could allow an unauthorized attacker to execute code locally. The National Vulnerability Database lists it with a CVSS 3.1 score of 7.8, rated High, and a vector requiring local access and user interaction while requiring no prior privileges.That distinction is important. “Remote code execution” is the Microsoft advisory’s impact label, but the public CVSS vector does not describe an unauthenticated network wormable flaw. A target must still be induced to handle attacker-controlled content or otherwise reach the vulnerable local execution path. This is closer to a malicious-file, malicious-link, or socially engineered workflow risk than a reason to assume that Terminal hosts are exposed directly to the internet.
The Zero Day Initiative’s July 2026 security-update review also categorized CVE-2026-54124 as Important rather than Critical and reported no known exploitation at release. The U.S. Cybersecurity and Infrastructure Security Agency’s SSVC enrichment similarly marked exploitation as none and automation as no. Those are snapshots, not guarantees, but they support a standard Patch Tuesday response rather than an emergency incident declaration.
Microsoft’s affected-product data for CVE-2026-54124 includes Windows Terminal builds earlier than 1.24.11321.0, along with supported Windows client and server releases receiving the July security updates. The listed operating-system cutoffs include:
- Windows 10 versions 21H2 and 22H2 before OS builds 19044.7548 and 19045.7548.
- Windows 11 versions 24H2 and 25H2 before OS build 26100.8875 and 26200.8875.
- Windows 11 version 26H1 before OS build 28000.2269.
- Windows Server 2022 before OS build 20348.5386 and Windows Server 2025 before OS build 26100.33158.
A Similar Name Is Not a Substitute for a Matching CVE
CVE identifiers are precise tracking keys. They are not interchangeable labels, even when two entries mention the same product and the same impact category. Treating CVE-2026-59117 as if it were CVE-2026-54124 can create two problems at once: a security team may close a finding that is not actually remediated, while also generating unnecessary priority work for a vulnerability whose technical details have not been published.This is especially relevant in vulnerability-management platforms that normalize Microsoft advisories into a common title. “Windows Terminal Remote Code Execution Vulnerability” is a product-impact description, not a unique identifier. Microsoft used the same naming convention for the earlier Windows Terminal issue, CVE-2022-44702, which was also a local, user-interaction-required flaw. The repetitive title format is useful for reading a bulletin but poor as the primary key for operational tracking.
The supplied July 16 timestamp also deserves careful treatment. It converts to 14:00 UTC on July 16, 2026. That is after the July 14 Patch Tuesday release that carried CVE-2026-54124, so an organization that already deployed the July cumulative updates may be covered against the confirmed Terminal vulnerability. It should not, however, automatically mark CVE-2026-59117 as remediated without Microsoft publishing a product and build mapping for that exact identifier.
What IT Teams Should Do While the Record Catches Up
The practical response is to verify the confirmed July release, preserve the CVE distinction in asset-management records, and monitor Microsoft’s advisory for a completed disclosure. Security teams should avoid writing detection logic, declaring exposure, or assigning a CVSS-based SLA to CVE-2026-59117 based solely on a title and a publication timestamp.For CVE-2026-54124, organizations should confirm that their July 14 updates are deployed through their normal Windows Update for Business, WSUS, Configuration Manager, or endpoint-management process. Windows 10 devices should report build 19045.7548 or 19044.7548 where applicable; Windows 11 24H2 devices should report 26100.8875 or later. Teams that package Windows Terminal separately should also inventory the installed Terminal version and ensure it is at least 1.24.11321.0.
For the uncorroborated CVE-2026-59117 entry, keep the following controls simple:
- Preserve the advisory identifier exactly as received and do not merge it with CVE-2026-54124.
- Watch Microsoft’s Security Update Guide for the eventual CVSS vector, affected-product list, mitigation guidance, and update references.
- Check whether endpoint tools or vulnerability scanners begin reporting a concrete Windows Terminal version threshold for CVE-2026-59117.
- Review alerts for false correlations caused by matching on the advisory title rather than the CVE number.
For now, the actionable Windows Terminal item remains CVE-2026-54124 and the July 14, 2026 cumulative-update baseline. If Microsoft fills in the CVE-2026-59117 record with distinct build numbers or a separate patch, that will establish whether it is a newly disclosed Terminal flaw, a late-published advisory, or simply an identifier that should never have been conflated with this week’s confirmed RCE fix.
References
- Primary source: MSRC
Published: 2026-07-16T07:00:00-07:00
Loading…
msrc.microsoft.com - Official source: learn.microsoft.com
Loading…
learn.microsoft.com - Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com