On July 14, 2026, Microsoft released cumulative security updates that patch CVE-2026-54995, a critical remote code execution vulnerability in the Windows Reliable Multicast Transport Driver, known as RMCAST. The flaw allows an unauthenticated attacker to execute arbitrary code by sending malicious network traffic to a vulnerable system. No active exploitation has been observed, but the broad affected product range and network-based attack vector make swift patching essential, particularly for servers that rely on multicast communications.
What Actually Changed in the July 2026 Update
Microsoft’s advisory confirms a use-after-free memory error (CWE-416) in the RMCAST kernel driver. The vulnerability carries a CVSS 3.1 base score of 8.1, with a vector that denotes high attack complexity but no privileges or user interaction required. In plain terms, a remote attacker can potentially trigger the bug by sending specially crafted packets, though the exact technique is non-trivial.
The July bundle also addresses a second RMCAST remote code execution flaw, CVE-2026-54982, reinforcing the need to deploy the full cumulative update rather than chasing a single driver fix. There is no standalone hotfix; remediation arrives through the month’s regular Windows servicing channels.
Key fixed builds include:
| Product | Fixed Build |
|---|---|
| Windows 11 version 25H2 | 26200.8875 |
| Windows 11 version 24H2 | 26100.8875 |
| Windows 11 version 26H1 | 28000.2525 |
| Windows 10 version 22H2 | 19045.7548 |
| Windows 10 version 21H2 | 19044.7548 |
| Windows Server 2025 | 26100.33158 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2019 / Windows 10 1809 | 17763.9020 |
| Windows Server 2016 / Windows 10 1607 | 14393.9339 |
Windows Server 2012 and 2012 R2 receive fixes through their extended servicing programs, including Server Core installations.
What It Means for You
Home Users
Most home devices do not actively use RMCAST, but the driver exists in all supported Windows editions. Apply Windows Update as usual. The risk of direct internet-based attack is low for typical configurations, but layered best practices demand you stay current.
IT Administrators
This is a server-side emergency. RMCAST is commonly piggybacked by line-of-business applications for financial tick distribution, software deployment, or industrial control messaging. Because multicast traffic is often confined to internal networks, exploitation is less likely from random internet scanning but more valuable for lateral movement after an initial compromise. A rogue device on a trusted VLAN or a compromised VPN endpoint could send malicious packets.
Perform an inventory: identify systems with active multicast listeners using netstat, network telemetry, or application documentation. Prioritize patching servers that use Pragmatic General Multicast (PGM) or any RMCAST-dependent software. Don’t rely on OS-name matching alone; Windows Server 2025 and Windows 11 version 24H2 share the 26100 base build but have different servicing revisions. Verify full edition and build number in patch management reports.
Developers
If you maintain applications that use Microsoft’s PGM implementation, test them after the update. The driver fix should be transparent, but memory-handling changes can occasionally expose edge cases in custom multicast code.
How We Got Here
RMCAST has been a quiet, long-standing Windows networking component, overshadowed by flashier targets like SMB or RDP. Use-after-free bugs in kernel code are familiar enemies; they happen when a program continues to reference memory after it has been freed, allowing an attacker to corrupt data and hijack execution flow. What makes CVE-2026-54995 notable is its network accessibility. Most such vulnerabilities require local access, but a network-reachable kernel flaw is rare and raises the stakes substantially.
No public proof of concept exists, and Microsoft’s advisory rates the report confidence as “confirmed,” meaning the vulnerability was acknowledged by the vendor after investigation. The high attack complexity suggests a one-click, one-packet exploit is unlikely, but that shouldn’t breed complacency. Sophisticated attackers can chain conditions together, especially when targeting unpatched servers inside a breached perimeter.
What to Do Now
- Deploy the July 2026 cumulative update immediately. All supported Windows and Windows Server versions receive the fix through their regular update channel. No separate KB is needed.
- Verify the installed build. After rebooting, run
winverorsysteminfo | findstr /B /C:"OS Version"and confirm the build number matches the table above. Do not trust Windows Update history alone; sometimes reboots fail silently. - For systems you cannot patch right away:
- Audit for active RMCAST listeners usingnetstat -a -bor network monitoring tools.
- Restrict multicast traffic at firewalls to known peers only.
- Monitor for unexpected multicast packets, especially from unauthorized subnets.
- Coordinate with application owners before disabling any service that depends on multicast; a wrong step can disrupt production. - Don’t stop at CVE-2026-54995. July 2026 is an unusually large Patch Tuesday. Review the full release notes and prioritize other critical fixes based on your environment’s exposure.
Outlook
No exploitation has been detected in the wild, but that status can change once attackers reverse-engineer the update. The parallel RMCAST fix (CVE-2026-54982) hints at increasing attention on multicast attack surfaces. Organizations that treat this as a low-priority bug because of its “high complexity” label may later face an operationalized exploit capable of traversing internal networks. The defense is straightforward: apply the update, verify, and harden multicast-configured hosts.