A new CVE-2026-59117 appeared on Microsoft’s Security Response Center on July 16, 2026, labeled “Windows Terminal Remote Code Execution Vulnerability” — but the advisory arrived without the technical details needed to act on it. The listing surfaced just two days after the July 14 Patch Tuesday updates patched a separate, fully documented Windows Terminal RCE (CVE-2026-54124), leaving IT teams wondering whether they’re looking at a fresh threat, a duplicate entry, or an incomplete disclosure.
What the New Advisory Actually Contains
The CVE-2026-59117 page on MSRC is sparse. As of this writing, it displays only a boilerplate description of the “confidence” metric Microsoft uses to gauge the credibility and existence of a vulnerability, with no CVSS score, no affected product version list, no exploit status, and no reference to a knowledge base article or security update. The snippet reads: “This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.” It’s a placeholder, not a detailed advisory.
That confidence metric is a standard part of Microsoft’s vulnerability disclosure framework, meant to indicate how certain the vendor is that a bug is real and the technical information is reliable. A placeholder-only page typically means the entry is in its earliest stage — reserved but not yet populated with technical specifics. No other public database, including the National Vulnerability Database, carries a record for CVE-2026-59117. No independent threat intelligence report has corroborated its scope or severity. The advisory exists only as a CVE number and a title, a ghost entry that sets off vulnerability scanners but offers no fix.
The Confirmed Patch: CVE-2026-54124
On July 14, 2026, Microsoft released its monthly security updates, and among them was CVE-2026-54124, an integer-overflow or wraparound weakness in Windows Terminal. The National Vulnerability Database assigned it a CVSS 3.1 score of 7.8 (High), noting that exploitation requires local access and user interaction but no prior privileges. An attacker would need to trick a user into opening a specially crafted file or connecting to a malicious resource — a scenario far less urgent than an unauthenticated network worm. The Zero Day Initiative categorized the flaw as “Important,” not “Critical,” and CISA’s Stakeholder-Specific Vulnerability Categorization marked it as non-automated and not currently exploited.
The fix arrived in two forms: a standalone Windows Terminal update (version 1.24.11321.0 or later) and cumulative operating system updates that bump OS builds to the following or higher:
| Operating System | Minimum Patched Build |
|---|---|
| Windows 10 21H2 | 19044.7548 |
| Windows 10 22H2 | 19045.7548 |
| Windows 11 24H2 | 26100.8875 |
| Windows 11 25H2 | 26200.8875 |
| Windows 11 26H1 | 28000.2269 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2025 | 26100.33158 |
If your machines have these builds or later, you’re protected against CVE-2026-54124. The same Terminal app version applies across all supported platforms: 1.24.11321.0 or higher.
What This Means for You
For home users, the risk is minimal. Windows Terminal is not an internet-facing service, and any exploitation of either CVE would require local, user-mediated interaction. If you’ve installed the July 2026 Windows updates, you already have the fix for the known RCE. The unverified CVE-2026-59117 doesn’t introduce any new attack surface until Microsoft confirms details; don’t lose sleep over it.
For system administrators and security teams, the situation is trickier. The immediate priority is to verify that the July 14 patches are in place. Use the build numbers above to check through your endpoint management platform. But resist the urge to treat CVE-2026-59117 as an emergency. Without a CVSS score, you can’t set a meaningful SLA. Without affected product versions, you can’t scope impact. And without confirmation of exploitation, you can’t justify disrupting operations. Chasing a ghost CVE can lead to wasted effort and, worse, mistakenly closing a finding that might later prove to be a separate, genuine vulnerability.
Developers who rely on Windows Terminal in their workflows face a similar low-risk scenario. The primary threat vector — tricking a user into connecting to a malicious host or opening a crafted file — is not unique to Terminal, and standard security hygiene (not opening untrusted links, keeping software updated) mitigates it effectively. Ensure your Terminal is updated to version 1.24.11321.0 through the Microsoft Store or your enterprise deployment mechanism.
How We Got Here
Microsoft’s July 2026 Patch Tuesday landed on the 14th, closing out a batch of vulnerabilities, with CVE-2026-54124 among them. The advisory for that fix was complete: CVSS vector, affected software list, patch references, and even third-party analysis from ZDI. Two days later, on July 16, the MSRC page for CVE-2026-59117 went live — but only as a placeholder. It’s not unprecedented for Microsoft to publish a CVE with limited initial information and backfill the details later, but the timing and conflicting signals make this case stand out.
One plausible explanation: CVE-2026-59117 could be a late-reserved identifier that Microsoft mistakenly published ahead of a final advisory. It shares its product name and impact category with the July 14 fix, but the CVE number is far apart (59117 vs. 54124), hinting it might have been reserved in a different block. It’s also possible that the entry is a duplicate or a false entry that slipped through, though Microsoft rarely makes such overt errors.
History shows that Windows Terminal RCEs aren’t rare. CVE-2022-44702, patched in 2022, was another “Windows Terminal Remote Code Execution Vulnerability” that required local, user-interaction-based exploitation. The repetitive titles have tripped up tools before, and with two similar entries in the same week, misinterpretation is practically guaranteed. Microsoft’s advisory for CVE-2026-54124 explicitly listed affected Terminal builds earlier than 1.24.11321.0, but no such mapping exists for the new entry, further muddying the waters.
What to Do Right Now
- Patch the known vulnerability. If you haven’t deployed the July 14, 2026 cumulative updates or updated Windows Terminal to version 1.24.11321.0, do so immediately. This covers CVE-2026-54124. Use the build check table above to confirm.
- Separate the two CVEs in your tracking systems. Do not merge CVE-2026-59117 with CVE-2026-54124, despite the identical titles. Preserve the exact identifier. If your endpoint protection or vulnerability scanner is reporting on CVE-2026-59117, verify whether it’s using the title or the CVE number as the primary key. If it’s purely title-based, consider creating an override rule to suppress false flags until Microsoft issues a full advisory.
- Check for independent corroboration. Keep an eye on the MSRC page for the eventual CVSS vector, affected software list, and update references. Monitor the National Vulnerability Database for a matching entry. If scanners begin associating a specific Windows Terminal version with this CVE, that will be the first credible sign of a distinct, patched vulnerability.
- Don’t write detection logic or declare exposure yet. Without technical details, any detection rule would be speculative. Don’t assign a CVSS score or SLA based on the title alone. Treat CVE-2026-59117 as “under investigation” in your governance process.
- Prepare for a potential out-of-band advisory. While there’s no evidence of in-the-wild exploitation, Microsoft could issue an emergency update if they later confirm a serious flaw. Stay subscribed to MSRC notifications.
Outlook
Microsoft will almost certainly update the CVE-2026-59117 page with actual vulnerability details. When that happens, we’ll learn whether it’s a distinct bug that requires a new patch, a late duplicate of CVE-2026-54124, or perhaps a vulnerability in a different component wrongly attributed to Terminal. Until then, the July 14 patch remains your only evidence-based defense. The next Patch Tuesday is a month away, so if this turns out to be a real zero-day, we’ll likely see an out-of-band release.
For now, treat CVE-2026-59117 as a curiosity that demands patience, not panic. The real work was done on July 14 — make sure that patch sticks.