On July 14, 2026, Microsoft released cumulative security updates that patch CVE-2026-54995, a critical remote code execution vulnerability in the Windows Reliable Multicast Transport Driver, known as RMCAST. The flaw allows an unauthenticated attacker to execute arbitrary code by sending malicious network traffic to a vulnerable system. No active exploitation has been observed, but the broad affected product range and network-based attack vector make swift patching essential, particularly for servers that rely on multicast communications.

What Actually Changed in the July 2026 Update

Microsoft’s advisory confirms a use-after-free memory error (CWE-416) in the RMCAST kernel driver. The vulnerability carries a CVSS 3.1 base score of 8.1, with a vector that denotes high attack complexity but no privileges or user interaction required. In plain terms, a remote attacker can potentially trigger the bug by sending specially crafted packets, though the exact technique is non-trivial.

The July bundle also addresses a second RMCAST remote code execution flaw, CVE-2026-54982, reinforcing the need to deploy the full cumulative update rather than chasing a single driver fix. There is no standalone hotfix; remediation arrives through the month’s regular Windows servicing channels.

Key fixed builds include:

Product Fixed Build
Windows 11 version 25H2 26200.8875
Windows 11 version 24H2 26100.8875
Windows 11 version 26H1 28000.2525
Windows 10 version 22H2 19045.7548
Windows 10 version 21H2 19044.7548
Windows Server 2025 26100.33158
Windows Server 2022 20348.5386
Windows Server 2019 / Windows 10 1809 17763.9020
Windows Server 2016 / Windows 10 1607 14393.9339

Windows Server 2012 and 2012 R2 receive fixes through their extended servicing programs, including Server Core installations.

What It Means for You

Home Users

Most home devices do not actively use RMCAST, but the driver exists in all supported Windows editions. Apply Windows Update as usual. The risk of direct internet-based attack is low for typical configurations, but layered best practices demand you stay current.

IT Administrators

This is a server-side emergency. RMCAST is commonly piggybacked by line-of-business applications for financial tick distribution, software deployment, or industrial control messaging. Because multicast traffic is often confined to internal networks, exploitation is less likely from random internet scanning but more valuable for lateral movement after an initial compromise. A rogue device on a trusted VLAN or a compromised VPN endpoint could send malicious packets.

Perform an inventory: identify systems with active multicast listeners using netstat, network telemetry, or application documentation. Prioritize patching servers that use Pragmatic General Multicast (PGM) or any RMCAST-dependent software. Don’t rely on OS-name matching alone; Windows Server 2025 and Windows 11 version 24H2 share the 26100 base build but have different servicing revisions. Verify full edition and build number in patch management reports.

Developers

If you maintain applications that use Microsoft’s PGM implementation, test them after the update. The driver fix should be transparent, but memory-handling changes can occasionally expose edge cases in custom multicast code.

How We Got Here

RMCAST has been a quiet, long-standing Windows networking component, overshadowed by flashier targets like SMB or RDP. Use-after-free bugs in kernel code are familiar enemies; they happen when a program continues to reference memory after it has been freed, allowing an attacker to corrupt data and hijack execution flow. What makes CVE-2026-54995 notable is its network accessibility. Most such vulnerabilities require local access, but a network-reachable kernel flaw is rare and raises the stakes substantially.

No public proof of concept exists, and Microsoft’s advisory rates the report confidence as “confirmed,” meaning the vulnerability was acknowledged by the vendor after investigation. The high attack complexity suggests a one-click, one-packet exploit is unlikely, but that shouldn’t breed complacency. Sophisticated attackers can chain conditions together, especially when targeting unpatched servers inside a breached perimeter.

What to Do Now

  1. Deploy the July 2026 cumulative update immediately. All supported Windows and Windows Server versions receive the fix through their regular update channel. No separate KB is needed.
  2. Verify the installed build. After rebooting, run winver or systeminfo | findstr /B /C:"OS Version" and confirm the build number matches the table above. Do not trust Windows Update history alone; sometimes reboots fail silently.
  3. For systems you cannot patch right away:
    - Audit for active RMCAST listeners using netstat -a -b or network monitoring tools.
    - Restrict multicast traffic at firewalls to known peers only.
    - Monitor for unexpected multicast packets, especially from unauthorized subnets.
    - Coordinate with application owners before disabling any service that depends on multicast; a wrong step can disrupt production.
  4. Don’t stop at CVE-2026-54995. July 2026 is an unusually large Patch Tuesday. Review the full release notes and prioritize other critical fixes based on your environment’s exposure.

Outlook

No exploitation has been detected in the wild, but that status can change once attackers reverse-engineer the update. The parallel RMCAST fix (CVE-2026-54982) hints at increasing attention on multicast attack surfaces. Organizations that treat this as a low-priority bug because of its “high complexity” label may later face an operationalized exploit capable of traversing internal networks. The defense is straightforward: apply the update, verify, and harden multicast-configured hosts.