CVE-2026-54995: July Updates Fix Windows RMCAST RCE

Microsoft has fixed CVE-2026-54995, a critical remote code execution vulnerability in the Windows Reliable Multicast Transport Driver, with the July 14, 2026 security updates. The flaw can let an unauthenticated attacker execute code by sending malicious network traffic to a vulnerable Windows system, making prompt deployment particularly important on machines that use Reliable Multicast, also known as RMCAST.
Detailed in the Microsoft Security Response Center’s advisory, CVE-2026-54995 carries a CVSS 3.1 base score of 8.1. Microsoft identifies the underlying weakness as a use-after-free memory error, tracked as CWE-416, and describes the vulnerability as exploitable over a network without prior authorization.
The advisory’s report-confidence rating is confirmed. That means this is not merely a suspected weakness inferred from incomplete research: Microsoft has acknowledged the vulnerability and released corrected Windows builds.

Cybersecurity infographic showing multicast traffic, an RMT driver memory flaw, and a July 2026 security update.A Memory-Safety Bug Reaches the Network​

RMCAST is a Windows kernel networking component associated with reliable multicast communications. Rather than establishing a separate conventional connection for every recipient, multicast technology is designed to distribute the same data efficiently to multiple systems or applications.
CVE-2026-54995 occurs when the RMCAST driver continues to use memory after that memory has been released. A carefully constructed sequence of network traffic can potentially turn that stale reference into memory corruption and, ultimately, attacker-controlled code execution.
Use-after-free flaws are dangerous in kernel-facing components because the affected code operates well below ordinary desktop applications. Successful exploitation could provide an attacker with substantial control over the compromised machine, although Microsoft’s public description does not provide a complete exploit chain or proof-of-concept code.
The 8.1 score reflects a significant complication for attackers: the CVSS vector indicates high attack complexity. That distinction matters, but it should not be treated as an effective mitigation. It means exploitation requires conditions or preparation beyond simply transmitting one malformed packet, not that exploitation is impossible or that an exposed service can safely remain unpatched.
Microsoft has not described CVE-2026-54995 as publicly disclosed or known to be exploited in active attacks at publication time. The July release nevertheless contains a second RMCAST remote code execution fix, CVE-2026-54982, underscoring that administrators should deploy the cumulative update rather than attempting to address one driver defect in isolation.

Support Spans Old Servers and Current Windows 11 Builds​

The affected-product list is broad. It includes Windows 10 releases still receiving updates through supported servicing channels, current Windows 11 versions and multiple generations of Windows Server.
Microsoft’s corrected build boundaries include:
  • Windows 11 version 24H2 and Windows 11 version 25H2 are protected at build 26100.8875 and 26200.8875, respectively.
  • Windows 11 version 26H1 is protected at build 28000.2525.
  • Windows 10 version 22H2 is protected at build 19045.7548, while version 21H2 reaches build 19044.7548.
  • Windows Server 2022 is protected at build 20348.5386.
  • Windows Server 2025 is protected at build 26100.33158.
  • Windows Server 2019 and Windows 10 version 1809 are protected at build 17763.9020.
  • Windows Server 2016 and Windows 10 version 1607 are protected at build 14393.9339.
  • Windows Server 2012 and Windows Server 2012 R2 receive fixes through their applicable extended servicing channels, including Server Core installations.
That range makes CVE-2026-54995 relevant to more than modern Windows 11 fleets. Older server installations are likely to be the more consequential targets because they may host specialist line-of-business, messaging or distribution software that makes deliberate use of multicast networking.
The affected list does not prove that every Windows machine is immediately reachable through RMCAST. Exploitation still depends on the vulnerable component being exposed to suitable traffic and on the conditions represented by the high-complexity rating. Inventory and exposure analysis can refine deployment order, but they should not replace installation of the July cumulative updates.
Administrators should also be careful when validating remediation by operating-system name alone. Windows Server 2025 and Windows 11 version 24H2 share the 26100 build family, for example, but Microsoft publishes different servicing revisions for the client and server products. Patch-management reports should compare the full edition and build number rather than treating matching base builds as equivalent.

Multicast Exposure Changes the Priority Calculation​

RMCAST is less visible than components such as Remote Desktop Services, SMB or the Windows Print Spooler. That obscurity may reduce indiscriminate Internet scanning, but it can also make enterprise exposure harder to identify because multicast-dependent applications are often deployed quietly inside controlled networks and then left unchanged for years.
Windows administrators should look for servers running software that uses Pragmatic General Multicast or other RMCAST-backed communications. Network telemetry, application documentation and service-owner interviews may reveal dependencies that ordinary vulnerability scans cannot distinguish from a merely present driver.
Segmentation matters because multicast traffic is commonly associated with a local or managed network rather than a public Internet service. A remote code execution path inside a trusted segment can still be valuable to an intruder who has compromised a workstation, VPN account, wireless network or adjacent application server. The relevant threat model is therefore not limited to anonymous attackers sending packets directly from the Internet.
Firewalls and access-control lists can reduce unnecessary traffic reaching affected hosts, particularly across workstation, server and management boundaries. Those controls are defense in depth, however, and cannot correct the driver’s memory-handling error.
Organizations unable to patch immediately should identify systems actively using RMCAST, restrict traffic to known peers and monitor for unusual multicast activity. Disabling an application or protocol dependency without testing can interrupt production workloads, so any temporary containment measure should be coordinated with the application owner.

Patch the Driver Through the July Cumulative Update​

CVE-2026-54995 is serviced through Microsoft’s July 14 cumulative Windows updates. There is no reason to search for a separate RMCAST hotfix: installing the appropriate cumulative update moves the operating system to the corrected build while also addressing the rest of the month’s Windows vulnerabilities.
That broader context is important. Zero Day Initiative’s July review counted CVE-2026-54995 alongside CVE-2026-54982 as two remote code execution flaws in the same relatively obscure driver, while Cisco Talos included both among the month’s critical Windows RCE vulnerabilities. July 2026 is an unusually large Microsoft security release, so administrators may need to divide testing by exposure and business role rather than waiting for the entire estate to clear one long validation queue.
Internet-facing identity and application servers may have other July vulnerabilities demanding even faster action, but systems with confirmed RMCAST listeners should remain near the front of the deployment schedule. A network-reachable kernel memory flaw warrants attention even when Microsoft’s scoring says exploitation is complex and no attacks have yet been reported.
After deployment, security teams should verify that endpoints have reached the applicable fixed build, not merely that Windows Update reports a successful installation. Failed reboots, supersedence errors and disconnected legacy servers can leave an apparently compliant environment running vulnerable binaries.
The immediate milestone is straightforward: install the July 14, 2026 cumulative update, reboot where required and confirm the corrected OS build. The unresolved issue is whether technical details or exploit research will later make the high-complexity attack more repeatable—exactly the kind of development that can turn an obscure multicast-driver bug into a useful lateral-movement tool.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top