Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable packet parsing (AV:N/AC:L/PR:N/UI:N); native-code heap RCE yields full C/I/A within the server process, no cross-system scope change (S:U).
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Heap-based buffer overflow in Minecraft Bedrock Dedicated Server allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Minecraft Bedrock Dedicated Server allows an unauthenticated network attacker to corrupt heap memory and run arbitrary code via a specially crafted packet, per CVSS:3.1/AV:N/AC:L/PR:N/UI:N (9.8 Critical). The flaw (CWE-122 heap-based buffer overflow) was reported by Microsoft, which has released a fix; there is no public exploit identified at time of analysis and no EPSS or CISA KEV data was supplied, so exploitation remains theoretical but the pre-auth, low-complexity profile makes it high-priority to patch.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to a running Minecraft Bedrock Dedicated Server instance - typically UDP 19132 exposed to the attacker - and the ability to send a crafted packet that reaches the vulnerable heap-allocated parsing routine. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8) describes a maximally severe issue: reachable over the network, low complexity, no privileges, no user interaction, with full confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-exposed Bedrock Dedicated Server (default UDP port 19132) and sends a crafted, oversized packet that overflows a heap buffer in the server's packet-parsing code. With no authentication or user interaction required, the corruption is steered to hijack control flow and execute attacker code in the server process, potentially compromising the host. … |
| Remediation | Apply the vendor fix: Patch available per Microsoft's advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55010 - download and deploy the latest Bedrock Dedicated Server build from Microsoft, as the exact fixed version was not specified in the supplied data and should be confirmed from the MSRC page. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Minecraft Bedrock Dedicated Servers in your infrastructure and obtain the latest patch from Microsoft's advisory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44151
GHSA-xf2v-8394-h23j