CVE-2026-54999
Windows TCP/IP Remote Code Execution Vulnerability
Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over an adjacent network.
In plain language
AI Act nowThis is a Windows TCP/IP bug that can let someone on the same local network remotely run malicious code without needing a login, so a typical small business should act quickly to update if you run any affected Windows versions.
CVE-2026-54999 is a race condition in Windows TCP/IP that can enable remote code execution from an adjacent network without authentication or user interaction; attackers trigger the bug via concurrent handling of TCP/IP-related operations.
What to do now
- Check whether your organization runs one of these: windows 10, windows 11, windows server 2012, windows server 2012 r2, windows server 2016, windows server 2019, windows server 2022, windows server 2025.
- For each affected machine, identify its current Windows build/version (System → About, or using your IT management tool).
- Update each system to the fixed version for its edition:
- windows 10 → update to 10.0.14393.9339, or 10.0.17763.9020, or 10.0.19044.7548, or 10.0.19045.7548
- windows 11 → update to 10.0.26100.8875, or 10.0.26200.8875, or 10.0.28000.2525
- windows server 2012 → update to 6.2.9200.26226
- windows server 2012 r2 → update to 6.3.9600.23291
- windows server 2016 → update to 10.0.14393.9339
- windows server 2019 → update to 10.0.17763.9020
- windows server 2022 → update to 10.0.20348.5386
- If you cannot patch immediately, restrict network reachability between workstations/servers (especially on the “adjacent network”) by tightening internal firewall/VLAN rules until updates are applied.
CVSS Vector Breakdown
AV:AAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-54999 and every CVE in our database. Create a free account — no credit card required.
Create Free Account