HIGH 7.5

CVE-2026-42913: Remote Desktop Client Race Condition Allows Network Code Execution

A race condition flaw in Remote Desktop Client allows an attacker to execute arbitrary code on a Windows system by exploiting a window between when two processes access shared resources without proper locking. The attack requires network access and user interaction (such as establishing an RDP session), but successfully exploiting it grants full code execution with the privileges of the Remote Desktop Client process. This affects multiple Windows 11 versions and Windows Server 2022/2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362, CWE-416, CWE-787
Affected products
11 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42913 is a concurrent execution vulnerability (CWE-362: race condition) that chains with potential use-after-free (CWE-416) and buffer overflow (CWE-787) conditions in the Remote Desktop Client. The vulnerability arises from improper synchronization when multiple threads access a shared resource, creating a narrow but exploitable timing window. An unauthenticated attacker can send specially crafted packets over the network to trigger the race condition. The CVSS 3.1 score of 7.5 (HIGH) reflects a network vector with high complexity, no privilege requirement, and user interaction—coupled with complete confidentiality, integrity, and availability impact.

Business impact

RDP is a critical remote access channel for enterprise support and hybrid work environments. Successful exploitation enables direct code execution on Windows systems without requiring valid credentials, making this a lateral movement or initial access risk in networked environments. Organizations relying on RDP for desktop support or remote administration face potential system compromise. The requirement for user interaction (initiating an RDP session) moderates but does not eliminate risk, particularly where attackers can socially engineer or spear-phish users into connecting to compromised or attacker-controlled RDP endpoints.

Affected systems

The vulnerability affects Microsoft Remote Desktop Client and the following Windows platforms: Windows 11 versions 23H2, 24H2, 25H2, and 26H1, as well as Windows Server 2022 and Windows Server 2025. Organizations running RDP services, whether for remote desktop access or as part of terminal services infrastructure, should treat all listed versions as in-scope for vulnerability assessment and patching.

Exploitability

The flaw requires network access and user interaction, which elevates the barrier compared to purely local or unauthenticated remote attacks. However, it does not require the attacker to possess valid credentials or elevated privileges beforehand. The high complexity factor (AC:H in the CVSS vector) indicates the race condition is difficult to trigger reliably, but sophisticated attackers with timing control over network traffic can craft payloads to exploit the synchronization gap. The vulnerability has not been designated as known exploited vulnerability (KEV) as of the last update, but organizations should assume adversary interest given RDP's prevalence and criticality.

Remediation

Apply security updates released by Microsoft addressing CVE-2026-42913 to all affected Windows and Remote Desktop Client installations. Verify patch applicability against your inventory of Windows 11 and Windows Server versions. In parallel, implement network-level defenses: restrict RDP exposure using firewall rules, require VPN or network segmentation for RDP access, enforce multi-factor authentication on RDP gateways, and deploy Network Level Authentication (NLA) where supported to add an additional authentication layer before the client fully initializes the RDP session.

Patch guidance

Monitor Microsoft's official security advisory for CVE-2026-42913 to confirm patch version numbers and KB article references specific to your Windows release (23H2, 24H2, 25H2, 26H1, Server 2022, or Server 2025). Microsoft typically releases patches on its monthly Patch Tuesday, and cumulative updates may bundle multiple fixes. Test patches in a non-production environment to ensure compatibility with your RDP deployments and any custom Remote Desktop extensions before broad rollout. Prioritize server infrastructure and frequently-accessed workstations that handle sensitive RDP sessions.

Detection guidance

Look for network anomalies consistent with RDP exploitation attempts: rapid or malformed RDP handshake sequences, unusual packet timing patterns during the connection phase, or failed RDP session initiation followed by suspicious process creation on the targeted system. Monitor system logs for unexpected code execution originating from the Remote Desktop Client process (mstsc.exe or related services). Endpoint Detection and Response (EDR) tools configured to alert on code execution from RDP-related processes or unusual memory access patterns in the RDP subsystem may detect post-exploitation activity. Network-based IDS/IPS rules targeting RDP race condition patterns may be available from security vendors once exploit code analysis is published.

Why prioritize this

This vulnerability merits HIGH priority due to its network accessibility, high impact (full code execution), and broad footprint across consumer and enterprise Windows versions and servers. Although the attack complexity is high and user interaction is required, RDP is ubiquitous in enterprise networks, making the attack surface substantial. The absence of KEV designation suggests active exploitation may not yet be widespread, but the relative ease of weaponization once the race condition is understood justifies rapid patching. Delay increases risk of incorporation into targeted or commodity exploit kits.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) balances multiple factors: network attack vector and no privilege requirement push severity upward, but high attack complexity and user interaction requirement moderate it. The confidentiality, integrity, and availability impacts are all rated 'high,' indicating complete system compromise is possible upon successful exploitation. For most enterprises, the presence of RDP across critical infrastructure and remote access points translates this score into a concrete, material risk requiring timely action.

Frequently asked questions

Does this vulnerability allow unauthenticated remote code execution?

The vulnerability enables unauthenticated network-level exploitation, but it does require user interaction—specifically, a user initiating an RDP session or the attacker controlling the RDP endpoint to trigger the race condition. It is not 'zero-click' remote code execution, but it does not require the attacker to possess valid RDP credentials.

Is this vulnerability being actively exploited?

As of the last update, CVE-2026-42913 has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the lack of KEV designation does not guarantee the absence of targeted exploitation; it reflects publicly known and documented active exploitation. Organizations should assume research and private exploit development are underway.

Can Network Level Authentication (NLA) prevent exploitation?

NLA adds an additional authentication challenge before the full RDP client initializes, which may reduce the exposure window for some race condition scenarios. However, NLA is not a substitute for patching. Organizations should deploy NLA as a defense-in-depth layer while prioritizing security updates.

Which Windows 11 versions are affected?

All current Windows 11 servicing channels are in scope: 23H2 (IoT), 24H2 (current stable release), 25H2, and 26H1. Additionally, Windows Server 2022 and Server 2025 are affected. Consult Microsoft's advisory to confirm end-of-support dates for each version and plan upgrades accordingly if you are still running unsupported releases.

This analysis is based on vendor advisory data and CVSS scoring as of the publication date. Patch availability, exploit code maturity, and threat actor adoption may evolve. Organizations should verify all patch versions and KB article numbers directly against Microsoft's official security advisories before deployment. This document does not constitute legal or compliance advice and should be supplemented with your organization's vulnerability management policies and risk assessment frameworks. SEC.co makes no warranty regarding exploit reliability or real-world attack prevalence. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).