CVE-2026-55010: Update Minecraft Bedrock Server to Stop RCE

CVE-2026-55010 exposes Minecraft Bedrock Dedicated Server to unauthenticated remote code execution through a heap-based buffer overflow, earning Microsoft’s critical CVSS 3.1 score of 9.8. Administrators running internet-accessible Bedrock servers should treat the July 14, 2026 disclosure as an urgent update-and-containment event, even though Microsoft has not publicly documented the affected or fixed version numbers.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw allows an unauthorized attacker to execute code over a network. Its CVSS vector specifies a network-reachable attack requiring low complexity, no privileges, and no user interaction, with potentially high impact to confidentiality, integrity, and availability.
The National Vulnerability Database received the Microsoft-issued record on July 14 but was still awaiting its own enrichment as of July 15. The public CVE data identifies the weakness as CWE-122, a heap-based buffer overflow, while providing no technical trigger, proof-of-concept code, or version range.

Pixel-art cybersecurity scene with a fortified server castle, glowing shields, warning symbols, hackers, and red cyber threats.A Player Connection Could Become a Host Compromise​

Bedrock Dedicated Server is the standalone software used to host persistent Minecraft: Bedrock Edition worlds on Windows and Linux. The Windows package supports Windows 10 and Windows Server 2016 or later, according to Minecraft’s official server download page, making the issue directly relevant to home hosts, community operators, schools, gaming providers, and businesses running private collaboration environments.
A heap-based buffer overflow occurs when software writes more data into an allocated region of heap memory than that region can hold. The resulting memory corruption may crash the process, but under suitable conditions it can also redirect execution into attacker-controlled code.
Microsoft’s severity vector describes the most dangerous practical combination: remote exploitation without authentication or player interaction. An attacker would not need an operator account, console access, or cooperation from someone already connected to the server. The vulnerable network-facing code could reportedly be reached by sending traffic to the server, although Microsoft has not disclosed the packet format or affected protocol handler.
Successful exploitation would run code in the security context of the Bedrock server process. The real damage therefore depends on how the service is deployed. A server running under a restricted account inside an isolated container presents a smaller blast radius than bedrock_server.exe running interactively under an administrator account with access to unrelated files and network resources.
The CVSS assessment assumes high impact across all three core security properties. An attacker could potentially read server data and accessible secrets, alter worlds or configuration, install persistent tooling, pivot toward other systems, or stop the service entirely. Those outcomes are possibilities implied by arbitrary code execution, not confirmed observations from a published exploit.

The Advisory Leaves Administrators Without a Version Boundary​

The most consequential omission is the absence of an affected-version table. Microsoft’s CVE record names Minecraft Bedrock Dedicated Server as the affected product but uses an unspecified version value, giving operators no reliable way to determine whether a particular 1.26.x or earlier installation is vulnerable.
There is also no publicly documented minimum safe build in the available CVE data. That prevents administrators from verifying remediation through a simple package inventory or file-version check. It also makes historical or pinned deployments difficult to assess without additional guidance from Microsoft or Mojang.
For now, operators should obtain the newest production Bedrock Dedicated Server package directly from Minecraft’s official download channel and compare it with the deployed binary. Because the server is distributed separately from the Minecraft client, updating Windows through Microsoft Update or installing the newest Bedrock client does not by itself establish that the dedicated server has been replaced.
A careful upgrade should preserve the existing world, configuration, permissions, and allow-list data before the server package is changed. Administrators should test the replacement against add-ons, behavior packs, scripts, and external management tools rather than copying a new executable blindly into production.
Microsoft may update the Security Update Guide with corrected-version information after the initial disclosure. Until that happens, “latest available” is safer than an assumed fixed version, but it is not as auditable as a vendor-confirmed build boundary.

Exposure Matters More Than Server Popularity​

The default Bedrock server port is UDP 19132, although administrators can configure alternatives and may expose additional networking paths through hosting platforms, tunnels, or reverse-proxy services. Moving the service to a nonstandard port is not a security fix; it only reduces indiscriminate scanning and does not stop a targeted attacker.
Operators should first identify every Bedrock Dedicated Server instance and determine whether it accepts traffic from the public internet. That inventory needs to include cloud virtual machines, home-lab hosts, rented game servers, forgotten test environments, and containers whose ports are published by orchestration configuration.
Where an immediate update cannot be confirmed, practical interim measures include:
  • Restricting inbound server traffic to known player addresses through a host or perimeter firewall reduces exposure, although it may be impractical for players with changing addresses.
  • Removing public port forwarding until the server can be updated provides stronger protection than relying on Minecraft’s allow list.
  • Running the service under a dedicated, unprivileged operating-system account limits what successful server-level code execution can immediately access.
  • Isolating the host from administrative networks, file shares, backup infrastructure, and domain resources reduces opportunities for lateral movement.
  • Preserving server logs and network telemetry may help identify suspicious connection attempts if Microsoft later publishes indicators or exploit details.
Minecraft access controls should not be mistaken for a complete mitigation. An application allow list usually governs which players may enter a world after the network exchange has begun. If the vulnerable code is reached before authentication or authorization completes, rejecting an unapproved username may occur too late.
Windows administrators should also review the account launching bedrock_server.exe, its filesystem permissions, and any secrets stored alongside scripts or management utilities. A game server does not need access to user documents, software deployment shares, domain credentials, or broad write permissions across the host.

There Is No Public Evidence of Active Exploitation Yet​

CISA’s initial Stakeholder-Specific Vulnerability Categorization data marked exploitation as “none” while assessing the vulnerability as automatable with total technical impact. That means there was no public evidence of exploitation attached to the record at the time of publication; it does not prove that exploitation is impossible or that private research has not begun.
No public proof of concept was identified in the initial disclosures, and the NVD record contained only Microsoft’s short description and scoring data. The lack of technical details lowers immediate confidence about how an exploit would work, but Microsoft’s acknowledgement and assignment of CWE-122 provide high confidence that the underlying vulnerability exists.
The combination of network access, low stated complexity, no authentication, and no user interaction makes CVE-2026-55010 attractive for further research. Once packet-level details or a patched-versus-unpatched binary comparison becomes available, the time required to construct a working exploit could shrink substantially.
Administrators should therefore avoid waiting for reports of attacks before acting. Public exploitation status is a lagging indicator, particularly for internet-facing services that may be scanned automatically and compromised without producing an obvious in-game symptom.
The next critical milestone is a Microsoft or Mojang update naming the affected and corrected Bedrock Dedicated Server builds. Until that version boundary appears, operators should deploy the newest official server package, minimize network exposure, and run the service as though a malformed connection could cross the line from a crashed Minecraft world to control of the underlying Windows or Linux host.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: minecraft.net
  3. Related coverage: feedback.minecraft.net
  4. Related coverage: help.minecraft.net
  5. Related coverage: edusupport.minecraft.net
 

Back
Top