CVE-2026-42909: Microsoft Remote Desktop Client Race Condition Remote Code Execution
A race condition flaw in Microsoft's Remote Desktop Client and related Windows components allows an attacker to execute malicious code on a target machine over the network. The vulnerability requires the user to interact with a malicious connection or file, but once triggered, grants the attacker the same privileges as the logged-in user. This affects multiple versions of Windows 10, Windows 11, Windows Server, and the standalone Windows App, making it a broad-reaching concern across enterprise environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362, CWE-416, CWE-787
- Affected products
- 26 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Concurrent execution using shared resource with improper synchronization ('race condition') in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42909 is a race condition (CWE-362) in the Remote Desktop Client that creates a window of opportunity for code execution due to improper synchronization of shared resources. The flaw also involves use-after-free (CWE-416) and buffer overflow (CWE-787) mechanics, allowing an unauthenticated attacker to trigger arbitrary code execution with network access. The attack vector is network-based, but requires user interaction (such as accepting a connection prompt or opening a malicious file) and benefits from specific timing conditions, which slightly raises the complexity bar. Once exploited, the attacker gains integrity, confidentiality, and availability impacts at the privilege level of the user account running Remote Desktop Client.
Business impact
Organizations relying on Remote Desktop for administrative access, support operations, or hybrid workforce connectivity face direct operational risk. A successful exploit could lead to lateral movement within corporate networks, unauthorized access to sensitive data, system compromise, and potential deployment of ransomware or persistent backdoors. The breadth of affected Windows versions—from Windows 10 1607 through Windows 11 26h1, plus multiple Server editions—means most enterprise environments are likely exposed unless patches are applied.
Affected systems
The vulnerability affects Microsoft Remote Desktop Client and the Windows App (all versions), plus Windows 10 builds 1607, 1809, 21H2, and 22H2; all current Windows 11 releases (23H2, 24H2, 25H2, 26H1); and Windows Server 2012, 2016, 2019, 2022, and 2025. Any organization using Remote Desktop Protocol (RDP) for access management or administration should assume exposure unless running a patched version.
Exploitability
Exploitation requires network access and user interaction, positioning this as moderately exploitable rather than trivial. However, the attack surface is large: any system accepting RDP connections or running the Windows App is a potential target. An attacker would need to craft a malicious connection or file that triggers the race condition under specific timing circumstances. Once successful, no additional authentication is needed—the code runs immediately. The CVSS score of 7.5 (HIGH) reflects the serious impact potential despite the complexity and interaction requirements.
Remediation
Apply security updates released by Microsoft addressing CVE-2026-42909 to all affected Remote Desktop Client installations and Windows systems. Verify patch availability against the Microsoft Security Updates guide and your organization's patch management baseline. For Windows Server, plan updates during maintenance windows to minimize business disruption. Ensure both user-facing RDP clients and server-side RDP services are patched in parallel.
Patch guidance
Check Microsoft's Security Update Guide and vendor advisories for specific patch versions targeting each affected OS build and Remote Desktop Client release. Prioritize Windows Server systems and administrative endpoints, then extend patching to user workstations running Windows 10 or 11. Confirm patch installation by verifying the updated Remote Desktop Client version and OS build numbers post-deployment. Test patched systems in a staging environment before broad rollout to ensure compatibility with your RDP infrastructure and dependent applications.
Detection guidance
Monitor for abnormal Remote Desktop Client process behavior, including unexpected child process spawning, memory access violations, or crashes that might indicate race condition exploitation attempts. Log and analyze RDP connection attempts, particularly from external or unusual sources. Look for indicators of use-after-free or buffer overflow exploitation such as system calls with suspicious memory addresses or attempts to execute code from non-executable regions. Correlate RDP connection logs with process execution timelines on target systems.
Why prioritize this
A HIGH severity race condition in a widely-deployed remote access component warrants urgent remediation. The network attack vector, user interaction requirement, and broad OS coverage mean most enterprises are exposed. Although not yet in the KEV catalog, the combination of high impact (confidentiality, integrity, availability), moderate exploitability, and the centrality of RDP to remote administration make this a priority 1 patch candidate.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a high-impact remote code execution vulnerability (full C/I/A) against a ubiquitous component, tempered by the need for user interaction and specific timing conditions (AC:H, UI:R). The lack of privilege escalation requirement lowers complexity slightly, but the network accessibility and broad affected product base elevate overall organizational risk substantially above the numerical score alone.
Frequently asked questions
Do I need to be an administrator to be exploited by this vulnerability?
No. An attacker exploiting this race condition executes code at the privilege level of the user running Remote Desktop Client. If that user is a standard user, the attacker gains standard user access; if they are an administrator, the attacker gains admin access. Either way, the impact is severe for targeted systems or accounts.
Does this vulnerability require the attacker to have valid RDP credentials?
No. The vulnerability is triggered through network access and user interaction (such as accepting a connection prompt or opening a file), but it does not require prior authentication. An unauthenticated attacker can craft a malicious scenario to initiate the race condition.
Is this vulnerability currently being exploited in the wild?
As of the published date, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog, suggesting it is not yet actively weaponized in widespread attacks. However, do not assume this provides a grace period—proof-of-concept and exploitation tools often follow public disclosure.
Can I mitigate this without patching?
Temporary mitigations include restricting RDP access to trusted networks via firewall rules, disabling Remote Desktop if not required, and using VPN with conditional access policies to limit exposure. However, these are interim measures only. Patching is the definitive fix and should be completed as soon as testing permits.
This analysis is provided for informational purposes based on publicly available vulnerability data as of the publication date. Patch availability, affected versions, and vendor guidance may change; verify all remediation steps against official Microsoft Security Updates. SEC.co does not provide legal or compliance advice. Organizations should align patching decisions with their risk management policies and testing procedures. No exploit code or weaponized proof-of-concept is included in this advisory. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42836HIGHWindows Function Discovery Service Race Condition Privilege Escalation
- CVE-2026-42978HIGHWindows Push Notifications Privilege Escalation (CVSS 7.8)
- CVE-2026-42979HIGHWindows Push Notifications Privilege Escalation (Race Condition)
- CVE-2026-42985HIGHRemote Desktop Client Use-After-Free RCE Vulnerability
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)