CVE-2026-55010 – Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability
“An exposed game server can become an easy entry point when attackers can turn network traffic into remote code execution.”
A heap-based buffer overflow vulnerability in Minecraft Bedrock Dedicated Server allows an unauthorized attacker to execute code over a network. The flaw can be triggered by sending specially crafted network traffic to a vulnerable server, requiring no user interaction or prior privileges. Successful exploitation could allow attackers to compromise the server, disrupt gameplay, or gain control of the affected system.
CVSS Score: 9.8
SEVERITY: Critical
THREAT:
This vulnerability affects Minecraft Bedrock Dedicated Server and enables remote code execution through specially crafted network traffic. Because it requires no authentication or user interaction, internet-facing servers are at significant risk of compromise.
EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as more likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and there is no confirmation of publicly available proof-of-concept exploit code.
TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow (CWE-122) in Minecraft Bedrock Dedicated Server. The server does not properly validate fragmented packet data, allowing specially crafted network traffic to corrupt memory. An attacker can exploit this flaw remotely without authentication, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability.
EXPLOITABILITY:
The vulnerability affects Minecraft Bedrock Dedicated Server. An attacker can exploit the flaw by sending specially crafted fragmented network packets to a vulnerable server. No privileges or user interaction are required.
BUSINESS IMPACT:
Organizations and service providers hosting Minecraft Bedrock Dedicated Servers could experience complete server compromise, service disruption, unauthorized access to hosted environments, and potential use of the compromised server as a launch point for additional attacks.
WORKAROUND:
No mitigations or workarounds are available.
URGENCY:
This vulnerability should be treated as an immediate priority because it is rated Critical with a CVSS v3.1 Base Score of 9.8. The combination of network-based exploitation, no authentication, no user interaction, and the potential for full remote code execution presents a severe risk to exposed servers.
Key Details
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-122