Microsoft's July 2026 Patch Tuesday delivered a fix for CVE-2026-54124, a high-severity remote code execution vulnerability in Windows Terminal. But installing the latest cumulative update for your operating system is not enough — the bug requires a separate, direct update to the Terminal application itself, bringing it to version 1.24.11321.0 or newer. Rated 7.8 on the CVSS 3.1 scale and classified as "exploitation: none" by CISA as of disclosure day, the flaw highlights the expanding attack surface of the command-line tools millions of developers and admins rely on every day.
Why This Patch Demands a Two-Pronged Update
Ordinarily, a Windows security fix arrives through a single cumulative update that touches every component serviced by the operating system. CVE-2026-54124 breaks that pattern because Windows Terminal is not exclusively bound to the Windows update pipeline. While shared console infrastructure inside Windows gets patched via the July cumulative updates, the Terminal app — often installed and updated via the Microsoft Store, GitHub releases, or WinGet — can remain vulnerable even on a fully patched OS if its own version number hasn't been bumped.
According to Microsoft's advisory, the root cause is an integer overflow or wraparound weakness, mapped to CWE-190 and CWE-122. In plain terms: a numerical value involved in calculating memory allocation or buffer sizes can be tricked into rolling over, potentially allowing an attacker to run arbitrary code in the context of the current user. The attack vector is local (AV:L), requires user interaction (UI:R), and demands no prior privileges (PR:N). Despite the "remote code execution" tag, this is not a wormable network flaw; an attacker would need to persuade a user to open a malicious file, paste crafted content, or interact with a compromised profile or script through the Terminal environment.
No workaround or mitigation setting exists. Microsoft states that the only way to close the hole is to apply the operating system update and ensure Windows Terminal reaches the fixed build.
Who Is Exposed — and Who Should Move First
The vulnerability affects a broad set of Windows editions: Windows 10 versions 21H2 and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, alongside Windows Server 2022 and 2025 (including Server Core installations). Windows Terminal for Windows 10 and Windows Terminal for Windows 11 are explicitly listed as affected products.
For home and casual users: If you occasionally open Command Prompt or PowerShell, you're still vulnerable. The fix arrives via Windows Update for the OS and the Microsoft Store for the Terminal app. Your action is straightforward: check for updates in both places and let them install.
For developers, IT pros, and power users: The risk level rises. Windows Terminal has become the unified interface for PowerShell, WSL, Azure Cloud Shell, and SSH sessions. You routinely clone repositories, run scripts from colleagues or the web, and paste commands from documentation. An attacker who crafts a .terminal profile file, a malformed command-line snippet, or a corrupted text rendering could exploit the vulnerability once you interact with it. If you work with untrusted material daily, this patch should not wait.
For system administrators: Your job is twofold. First, confirm that the July 2026 cumulative update has reached every machine. Second, inventory the version of Windows Terminal across your fleet — especially on developer workstations and jump servers. Because Terminal can be installed through multiple channels, version drift is common. A machine reporting as fully patched by WSUS or Intune may still be running an outdated Terminal app pulled from GitHub months ago.
The table below lists the minimum safe build numbers for each Windows version and the corresponding KB article.
| Windows Version | Required OS Build | Knowledge Base |
|---|---|---|
| Windows 10 21H2 / 22H2 | 19044.7548 / 19045.7548 | KB5099539 |
| Windows 11 24H2 | 26100.8875 | KB5101650 |
| Windows 11 25H2 | 26200.8875 | KB5101650 |
| Windows 11 26H1 | 28000.2269 | (via Windows Update) |
| Windows Server 2022 | 20348.5386 | KB5099540 |
| Windows Server 2025 | 26100.33158 | KB5099536 |
Windows 10 caveat: Version 22H2 reached end of support on October 14, 2025. Devices receiving the July 2026 build must be enrolled in Microsoft's Extended Security Updates (ESU) program or be running Windows 10 Enterprise LTSC 2021, which maintains a separate lifecycle.
How We Got Here: Context Behind the Headline
Windows Terminal's rise from a niche open-source project to a built-in component of Windows 11 and a staple on Windows 10 systems has been rapid. It now serves as the default command-line experience for many, piping together shells, extensions, and modern features like GPU-accelerated text rendering and panes. That versatility comes with complexity: Terminal draws on legacy console host code, introduces its own rendering and parsing layers, and processes a wide range of input types.
The fixed Terminal build, 1.24.11321.0, was released on May 13, 2026 — two months before the July security disclosure. This is a common cadence for coordinated vulnerability disclosure: the patched component is already available, but the CVE is held until OS-level safeguards and broader communication are ready. Microsoft's advisory went live on July 14, and the NVD entry (with its initial CVSS score) followed. As of that date, CISA's Known Exploited Vulnerabilities catalog showed no evidence of in-the-wild exploitation, and the vulnerability was labeled "exploitation: none."
However, that label is a snapshot, not a prophecy. The absence of a public proof-of-concept or exploit code today doesn't mean one won't appear tomorrow. Security researchers often reverse-engineer patches within days, and high-severity bugs in widely used tools attract immediate attention.
Your Action Plan: Specific Steps to Secure Your Device
Follow these steps to close CVE-2026-54124 completely.
1. Update your Windows operating system
Open Settings > Windows Update, click Check for updates, and install all available patches. If you manage updates manually, download the monthly cumulative update from the Microsoft Update Catalog using the KB number from the table above. Restart your machine after installation.
You can verify your build number by running winver or checking Settings > System > About. Ensure it meets the minimum listed build for your Windows edition.
2. Update Windows Terminal to version 1.24.11321.0 or newer
Three paths lead to the fixed Terminal app:
- Microsoft Store (recommended): Open the Store, go to Downloads or Library, and click Get updates. Windows Terminal will be updated automatically if you installed it from the Store. You can also search for "Windows Terminal" and manually trigger an update.
- WinGet: Run
winget upgrade Microsoft.WindowsTerminalin an administrative command prompt. To confirm your current version, usewinget list Microsoft.WindowsTerminal. - GitHub releases: If you originally installed Terminal from a GitHub release, download and install version 1.24.11321.0 or later from the official repository. Note that manually installed packages will not auto-update; you'll need to repeat this process for future updates.
After updating, launch Terminal, open the About window (Ctrl+, then click "About"), and confirm the version reads 1.24.11321.0 or higher.
3. For IT administrators: Verify and enforce compliance
- Use your endpoint management tool (SCCM, Intune, Group Policy) to confirm that both the July 2026 cumulative update and the correct Terminal version are deployed. Some environments block Microsoft Store access or WinGet package installation via policy; ensure your software distribution system pushes the updated Terminal package to these machines.
- For Windows Server systems, remember that Server Core installations may also have Windows Terminal present if it was added manually. Include them in your scanning scope.
- Run a quick PowerShell inventory script to check Terminal versions across your fleet:
Get-AppxPackage *WindowsTerminal* | Select Name, Version
Alternatively, usewinget list Microsoft.WindowsTerminalfor each machine.
Because no workaround exists, postponing this patch is gambling that your users will never encounter a crafted malicious file or profile — a bet few security teams would endorse.
What to Watch Next
The immediate next signal is whether Microsoft revises the advisory to include additional technical details, a public acknowledgment of external discovery, or a shift in the exploitation index. A published proof-of-concept would raise the urgency for any organization still unpatched. For now, the guidance is straightforward: treat this as a standard Patch Tuesday item, but give it priority on developer and administrator machines where Terminal is a daily tool. The July updates have closed a dangerous door; make sure it's locked on every system you manage.