CVE-2026-42908: Windows RDP Out-of-Bounds Read Information Disclosure
A flaw in Windows Remote Desktop Protocol (RDP) allows an attacker on the network to read memory from the RDP service without authentication, potentially exposing sensitive information. The vulnerability requires no user interaction and can be exploited remotely by anyone with network access to an affected system running RDP. This is a confidentiality risk—the attacker cannot modify data or disrupt service, but unauthorized disclosure of system or user data is possible.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 25 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42908 is an out-of-bounds read vulnerability in the Windows RDP implementation, classified under CWE-125 (Out-of-bounds Read). The flaw permits remote, unauthenticated attackers to access memory beyond intended buffer boundaries, disclosing information over the network. The attack vector is network-based with low complexity, requires no privileges or user interaction, and impacts the confidentiality of the target system. The CVSS 3.1 score of 7.5 (HIGH) reflects high confidentiality impact with no integrity or availability impact.
Business impact
Organizations relying on RDP for remote administration or Terminal Services face elevated risk of data exfiltration. Exposed information could include credentials, session data, configuration details, or other sensitive memory contents. While service availability is not affected, the loss of confidentiality can facilitate further compromise, credential harvesting, or compliance violations if personal or regulated data is disclosed. Attackers on the same network segment (or with routing/VPN access to the RDP service port) can exploit this without authentication.
Affected systems
The vulnerability affects Windows RDP across multiple versions: Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), Windows Server 2012, 2016, 2019, 2022, and 2025, as well as the Windows App client. Both client and server components are in scope. Organizations running any of these versions with RDP enabled are potentially affected.
Exploitability
Exploitability is straightforward: the vulnerability is remotely triggerable over the network without authentication, user interaction, or elevated privileges. An attacker with network access to TCP port 3389 (RDP default) or any configured RDP endpoint can attempt exploitation. No special tools or advanced techniques are required. The attack is practical and does not depend on unusual system configurations.
Remediation
Microsoft security updates addressing this vulnerability should be applied to all affected systems. Organizations should consult the official Microsoft Security Update Guide and vendor advisories for specific patch versions and deployment timelines. Interim mitigations include restricting RDP access via firewall rules (limiting exposure to trusted networks only), disabling RDP on systems that do not require remote access, and deploying network segmentation to isolate RDP services from untrusted segments.
Patch guidance
Monitor Microsoft's official security advisories and WSUS for patch availability targeting this CVE. Organizations should establish a testing and deployment schedule prioritizing servers and endpoints with public or high-risk RDP exposure. Verify patch application across all affected Windows versions in your environment, including domain controllers, terminal servers, and administrative endpoints. Consider staged rollout to critical systems first, followed by broader deployment.
Detection guidance
Network-based detection should focus on RDP traffic anomalies: unusual patterns to port 3389, failed or malformed RDP handshakes, and repeated connection attempts from suspicious sources. Host-based indicators include RDP service crashes, unexpected memory access patterns, or diagnostic logs from the Remote Desktop Session Host. Endpoint Detection and Response (EDR) solutions should monitor for abnormal RDP process behavior and memory access. Log aggregation and SIEM rules tuned to RDP events can help identify exploitation attempts.
Why prioritize this
This vulnerability merits urgent attention because it is remotely exploitable, requires no authentication, and affects RDP—a widely used remote administration service in enterprise environments. The HIGH CVSS score and broad platform coverage (Windows 10, 11, and multiple Server versions) increase organizational risk. Although not yet tracked in the KEV catalog, the ease of exploitation and potential for information disclosure make proactive patching essential. Organizations with exposed RDP endpoints should prioritize this above vulnerabilities with lower exploitability or narrower impact.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects the confluence of remote network attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and high confidentiality impact (C:H). The lack of integrity or availability impact prevents a CRITICAL rating, but the ease of exploitation and information disclosure capability justify the HIGH severity. Real-world risk is amplified by RDP's prevalence and the frequency with which it is exposed to untrusted networks.
Frequently asked questions
Does this vulnerability allow code execution or service disruption?
No. The out-of-bounds read permits only information disclosure—attackers can read memory but cannot execute arbitrary code, modify system state, or crash the RDP service. Confidentiality impact is high; integrity and availability are unaffected.
Does this vulnerability require authentication to exploit?
No. The vulnerability is unauthenticated; an attacker on the network can trigger it without valid RDP credentials.
What information could be disclosed?
Potentially sensitive data resident in RDP process memory, including session tokens, cached credentials, configuration details, or data from other users' sessions. The exact scope depends on memory layout and what is in-scope at the time of exploitation.
What is the difference between Windows RDP server and the Windows App client?
Windows RDP Server is the remote desktop service that accepts incoming connections; the Windows App client is the remote desktop application used to connect to RDP servers. Both are vulnerable and should be patched.
This analysis is based on publicly available vulnerability data as of the publication date. Specific patch versions, availability timelines, and vendor-supplied mitigation details should be verified against official Microsoft Security Updates and advisories. Exploit code is not provided. Organizations should assess their own network architecture, RDP exposure, and risk tolerance to determine remediation urgency. SEC.co recommends validating all patches in a test environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library