Microsoft has disclosed CVE-2026-54124, a Windows Terminal remote code execution vulnerability fixed in the July 14, 2026 security updates. The immediate action for Windows users and administrators is straightforward: install the July cumulative update for the operating system and ensure Windows Terminal is at version 1.24.11321.0 or later.
Microsoft’s Security Response Center published the advisory on July 14. The National Vulnerability Database record, which draws its initial technical data from Microsoft, rates the issue 7.8 out of 10 under CVSS 3.1: High severity, with low attack complexity, no required privileges, required user interaction, and potential impact to confidentiality, integrity, and availability.
The important qualification is buried in the attack vector. Despite the “remote code execution” label in the advisory title, this is not a network-reachable Windows Terminal service flaw that can be triggered merely by connecting to a machine. Microsoft describes it as an integer overflow or wraparound vulnerability that permits an unauthorized attacker to execute code locally. An attacker would need to induce a user to interact with malicious content or a crafted local resource through the Terminal environment.
Windows Terminal is the default-facing command-line experience for a large portion of the Windows developer and administrator audience. It hosts PowerShell, Command Prompt, WSL distributions, SSH sessions, Azure Cloud Shell connections, and third-party shells in one application, often with profiles, custom themes, extensions, and shared configuration files.
That broad footprint does not turn CVE-2026-54124 into a wormable vulnerability. It does mean that a local attack surface exists in places where users routinely open files, clone repositories, run installers, paste commands, and launch scripts received from other people.
Microsoft’s description identifies both integer overflow and wraparound weaknesses, mapped in the vulnerability record to CWE-122 and CWE-190. In practical terms, that points to a failure in safely handling a numerical value involved in memory allocation, size calculation, or bounds checking. If a value unexpectedly rolls over, code may reserve too little memory or process data under invalid assumptions.
Microsoft has not published proof-of-concept code, a detailed trigger condition, or an attack scenario. That absence matters: it limits what defenders can responsibly infer about whether the vulnerable path involves Terminal rendering, profile handling, command-line parsing, settings, extensions, pasted content, or a shared console component.
Administrators should not assume that updating only the Microsoft Store app is sufficient. Microsoft’s affected build thresholds align with the July 2026 cumulative updates:
The product-side threshold is Windows Terminal version 1.24.11321.0. Microsoft’s GitHub release history shows that build was released on May 13, 2026, before the July security disclosure. That can happen when a fixed component is already present in a newer app release but the CVE is held until coordinated disclosure and broader OS servicing are ready.
That makes the vulnerability especially relevant to workflows where Terminal is used to process untrusted or semi-trusted material. Developer workstations that clone external repositories, support desks that reproduce customer issues, and administrators who open scripts or configuration bundles from ticketing systems should be patched promptly.
The CISA enrichment attached to the NVD entry currently records exploitation as “none” and automation as “no.” Those fields are useful for prioritization, but they are not a guarantee that exploitation will remain absent. They also should not be confused with a vendor statement that the issue is impossible to automate; they reflect the public evidence available on July 14.
For most environments, the remediation should be folded into normal Patch Tuesday deployment rather than treated as a standalone emergency. The sensible exception is a fleet with heavy Terminal use, delayed cumulative-update adoption, developer endpoints running manually installed Terminal packages, or isolated servers where patch compliance is harder to verify.
IT teams should verify the installed Terminal package version through App Installer, the Microsoft Store, WinGet, or PowerShell package inventory. The target is 1.24.11321.0 or newer. They should also confirm the device’s Windows build against Microsoft’s published thresholds, using Settings,
Organizations that package Terminal separately should review their deployment rings now. Microsoft’s Terminal project supports Store, GitHub release, and WinGet distribution paths, which means version drift can be more common than with a component serviced only through Windows Update.
No workaround, mitigation setting, or configuration change has been published by Microsoft for CVE-2026-54124. Until more technical detail emerges, the defensible response is patching rather than attempting to disable features based on guesses about the vulnerable code path.
The next signal to watch is whether Microsoft revises the advisory with exploit details, a public disclosure acknowledgment, or a change in exploitation status. For now, July’s updates close a high-severity local code-execution hole in one of Windows’ most commonly used administrative and development entry points.
Microsoft’s Security Response Center published the advisory on July 14. The National Vulnerability Database record, which draws its initial technical data from Microsoft, rates the issue 7.8 out of 10 under CVSS 3.1: High severity, with low attack complexity, no required privileges, required user interaction, and potential impact to confidentiality, integrity, and availability.
The important qualification is buried in the attack vector. Despite the “remote code execution” label in the advisory title, this is not a network-reachable Windows Terminal service flaw that can be triggered merely by connecting to a machine. Microsoft describes it as an integer overflow or wraparound vulnerability that permits an unauthorized attacker to execute code locally. An attacker would need to induce a user to interact with malicious content or a crafted local resource through the Terminal environment.
The flaw is local, but Terminal is everywhere developers work
Windows Terminal is the default-facing command-line experience for a large portion of the Windows developer and administrator audience. It hosts PowerShell, Command Prompt, WSL distributions, SSH sessions, Azure Cloud Shell connections, and third-party shells in one application, often with profiles, custom themes, extensions, and shared configuration files.That broad footprint does not turn CVE-2026-54124 into a wormable vulnerability. It does mean that a local attack surface exists in places where users routinely open files, clone repositories, run installers, paste commands, and launch scripts received from other people.
Microsoft’s description identifies both integer overflow and wraparound weaknesses, mapped in the vulnerability record to CWE-122 and CWE-190. In practical terms, that points to a failure in safely handling a numerical value involved in memory allocation, size calculation, or bounds checking. If a value unexpectedly rolls over, code may reserve too little memory or process data under invalid assumptions.
Microsoft has not published proof-of-concept code, a detailed trigger condition, or an attack scenario. That absence matters: it limits what defenders can responsibly infer about whether the vulnerable path involves Terminal rendering, profile handling, command-line parsing, settings, extensions, pasted content, or a shared console component.
July’s cumulative updates carry the OS-side fix
The affected-product data published with the CVE identifies Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025, alongside Windows Terminal for Windows 10 and Windows Terminal for Windows 11. That is a notable scope for a Terminal-branded issue, particularly because the Microsoft Terminal repository also contains source used by the legacy Windows Console Host and shared console infrastructure.Administrators should not assume that updating only the Microsoft Store app is sufficient. Microsoft’s affected build thresholds align with the July 2026 cumulative updates:
- Windows 10 version 21H2 and 22H2 require OS Build 19044.7548 or 19045.7548, delivered by KB5099539.
- Windows 11 version 24H2 requires OS Build 26100.8875, while version 25H2 requires Build 26200.8875; both are delivered by KB5101650.
- Windows 11 version 26H1 requires OS Build 28000.2269.
- Windows Server 2022 requires OS Build 20348.5386, delivered by KB5099540.
- Windows Server 2025, including Server Core, requires OS Build 26100.33158, delivered by KB5099536.
The product-side threshold is Windows Terminal version 1.24.11321.0. Microsoft’s GitHub release history shows that build was released on May 13, 2026, before the July security disclosure. That can happen when a fixed component is already present in a newer app release but the CVE is held until coordinated disclosure and broader OS servicing are ready.
“User interaction required” is not a reason to defer
The CVSS vector for CVE-2026-54124 is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Translating that into operational language: an attacker does not need pre-existing credentials or elevated privileges, and exploitation is not considered technically difficult once a reliable trigger is known. But the attacker does need a user to do something.That makes the vulnerability especially relevant to workflows where Terminal is used to process untrusted or semi-trusted material. Developer workstations that clone external repositories, support desks that reproduce customer issues, and administrators who open scripts or configuration bundles from ticketing systems should be patched promptly.
The CISA enrichment attached to the NVD entry currently records exploitation as “none” and automation as “no.” Those fields are useful for prioritization, but they are not a guarantee that exploitation will remain absent. They also should not be confused with a vendor statement that the issue is impossible to automate; they reflect the public evidence available on July 14.
For most environments, the remediation should be folded into normal Patch Tuesday deployment rather than treated as a standalone emergency. The sensible exception is a fleet with heavy Terminal use, delayed cumulative-update adoption, developer endpoints running manually installed Terminal packages, or isolated servers where patch compliance is harder to verify.
Verify both Windows and the app package
A patched OS build does not necessarily prove that Windows Terminal itself is current, especially on systems where Store updates are disabled, blocked by policy, or replaced with manually deployed MSIX packages. Conversely, an updated Terminal package does not eliminate the need for the July operating-system update where shared components are implicated.IT teams should verify the installed Terminal package version through App Installer, the Microsoft Store, WinGet, or PowerShell package inventory. The target is 1.24.11321.0 or newer. They should also confirm the device’s Windows build against Microsoft’s published thresholds, using Settings,
winver, endpoint-management inventory, or standard compliance reporting.Organizations that package Terminal separately should review their deployment rings now. Microsoft’s Terminal project supports Store, GitHub release, and WinGet distribution paths, which means version drift can be more common than with a component serviced only through Windows Update.
No workaround, mitigation setting, or configuration change has been published by Microsoft for CVE-2026-54124. Until more technical detail emerges, the defensible response is patching rather than attempting to disable features based on guesses about the vulnerable code path.
The next signal to watch is whether Microsoft revises the advisory with exploit details, a public disclosure acknowledgment, or a change in exploitation status. For now, July’s updates close a high-severity local code-execution hole in one of Windows’ most commonly used administrative and development entry points.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: devblogs.microsoft.com
Windows Terminal Preview 1.25 Release - Windows Command Line
Windows Terminal 1.25 is released to the Preview Channel, with Settings Search, Action Editing, New Languages, and more.devblogs.microsoft.com - Official source: learn.microsoft.com
An overview on Windows Terminal | Microsoft Learn
Learn about Windows Terminal and how it can improve your command line workflow.learn.microsoft.com - Related coverage: what-version.com
Latest Windows Terminal Version (1.24.11321.0) - What Version
The latest verified stable version of Windows Terminal is 1.24.11321.0. Check the source, release date, and correct official download for your system.www.what-version.com