CVE-2026-54995 – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

CVSS 8.1 IMPORTANT Critical or Zero Day – Immediate Deployment

“A remote flaw in a low-level Windows driver can turn network access into complete system compromise.”

A use-after-free vulnerability in the Windows Reliable Multicast Transport Driver allows an unauthorized attacker to execute code over a network. The attack requires no privileges or user interaction, but successful exploitation depends on additional conditions because the attack complexity is high. If exploited, the flaw could allow arbitrary code execution with serious impact to confidentiality, integrity, and availability.

CVSS Score: 8.1

SEVERITY: Critical

THREAT:
This vulnerability affects the Windows Reliable Multicast Transport Driver and could allow an attacker to execute arbitrary code remotely. Because no authentication or user interaction is required, a successful attack could compromise a vulnerable Windows system without action from the target user.

EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as unlikely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the available information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free condition (CWE-416) in the Windows Reliable Multicast Transport Driver. The flaw can occur when the driver accesses memory after it has already been released, creating memory corruption conditions that may allow arbitrary code execution. The attack is network-based, requires no privileges or user interaction, and has high attack complexity. Successful exploitation could result in high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include supported editions of Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including affected Server Core installations. Exploitation can occur over a network and requires no user interaction or prior privileges, but additional conditions are needed because the attack complexity is high.

BUSINESS IMPACT:
Successful exploitation could allow attackers to run malicious code, steal sensitive information, modify systems, disrupt services, or use the compromised device as a foothold for broader attacks. The wide range of affected Windows desktop and server platforms increases the potential operational impact.

WORKAROUND:
No mitigations or workarounds are available.

URGENCY:
This vulnerability should be treated as a high priority because it is rated Critical with a CVSS v3.1 Base Score of 8.1. Although exploitation is considered unlikely and requires complex conditions, the lack of required privileges or user interaction means a successful attack could have severe consequences.

Key Details

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.