HIGH 8.8

CVE-2026-42985: Remote Desktop Client Use-After-Free RCE Vulnerability

A use-after-free memory vulnerability exists in Microsoft's Remote Desktop Client and related Windows components. An attacker can trigger this flaw over the network by sending specially crafted packets, potentially gaining code execution on a victim's machine without requiring prior authentication. User interaction is needed for successful exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416, CWE-787
Affected products
26 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42985 is a use-after-free vulnerability (CWE-416, CWE-787) in Microsoft Remote Desktop Client and multiple Windows versions. The flaw allows an unauthenticated network attacker to corrupt memory on a target system by manipulating freed memory regions during RDP session handling. The CVSS 3.1 score of 8.8 reflects high confidentiality, integrity, and availability impact with low attack complexity and no privilege or authentication requirement. The vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates network-adjacent attack surface requiring only user interaction.

Business impact

Organizations relying on Remote Desktop Protocol for administrative access, hybrid work enablement, or server management face significant risk. Successful exploitation could grant attackers code execution with user-level privileges, enabling lateral movement, data exfiltration, or persistence establishment. The broad scope of affected Windows versions and RDP-dependent workflows amplifies exposure for enterprises without compensating controls. This is particularly acute for organizations with public-facing RDP endpoints or those lacking network segmentation.

Affected systems

The vulnerability affects Remote Desktop Client (standalone), Windows App, and numerous Windows editions including Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server variants (2012 R2, 2016, 2019, 2022, 2025). Organizations should treat all listed versions as in-scope for remediation assessment, though priority should align with asset criticality and exposure.

Exploitability

The vulnerability requires user interaction but has low attack complexity and no authentication barrier, making it moderately exploitable in realistic scenarios. An attacker must either social-engineer a user to interact with malicious RDP content or position themselves on a network path where they can intercept and modify RDP traffic. While not trivial, the combination of network accessibility and minimal prerequisites makes this a practical threat for motivated threat actors. The fact that it is not yet tracked in CISA's Known Exploited Vulnerabilities catalog does not diminish urgency, as post-patch exploitation discovery is common.

Remediation

Apply security patches released by Microsoft for CVE-2026-42985 across all affected platforms and product versions. Verify against the official Microsoft Security Update Guide for specific patch KB numbers corresponding to your Windows build. For organizations unable to patch immediately, implement network-level controls: restrict RDP access via firewall rules, disable unnecessary RDP services, enforce VPN-based RDP access only, and apply network segmentation to limit lateral movement post-compromise.

Patch guidance

Microsoft has issued updates addressing this vulnerability; consult the official Microsoft Security Update for patch version numbers, KB article IDs, and deployment timelines specific to your Windows edition. Test patches in a staging environment before broad deployment given the criticality of RDP in many environments. Priority should be given to internet-facing systems, administrative jump boxes, and systems handling sensitive data. Verify successful patching by checking system update history and validating build numbers align with the remediated version guidance provided by Microsoft.

Detection guidance

Monitor for abnormal RDP session terminations, memory-related application crashes in svchost.exe or csrss.exe (processes handling RDP), and unusual process spawning following RDP connections. Endpoint Detection and Response (EDR) tools should flag suspicious memory allocation patterns or heap corruption indicators during RDP handshake phases. Log analysis should track failed and successful RDP authentication attempts, particularly from unusual source IPs. Windows Event Viewer security logs (event ID 4625 for failed logons, 4624 for successful) and RDP-specific diagnostic logs provide forensic signals. Organizations without EDR should heighten alerting sensitivity on RDP-related system events.

Why prioritize this

An 8.8 CVSS score reflects the combination of network accessibility, no authentication requirement, high impact to confidentiality/integrity/availability, and broad Windows platform coverage. The vulnerability's presence in Remote Desktop Client—a foundational component for remote administration and hybrid work—makes it organizationally pervasive. Although not yet exploited in the wild per CISA records, the low barrier to exploitation and high value of RDP foothold access justify immediate prioritization. Organizations with internet-exposed RDP or heavy RDP dependency should treat this as critical.

Risk score, explained

The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields 8.8 (HIGH) because: network accessibility (AV:N) enables remote attacks; low attack complexity (AC:L) means no special conditions required; no privilege requirement (PR:N) allows any user to trigger it; user interaction (UI:R) is the only friction point; scope unchanged (S:U) means impact is confined to the vulnerable component; and high ratings for confidentiality, integrity, and availability (C:H/I:H/A:H) reflect potential for arbitrary code execution. This score correctly positions the vulnerability as a high-priority remediation target but not yet critical, pending exploitation emergence.

Frequently asked questions

Should we prioritize patching this over other pending updates?

Yes, given the 8.8 CVSS score, network accessibility, and lack of authentication requirement. This should rank in your top-tier patching queue, especially for systems exposed to untrusted networks or used for administrative functions. Balance against your organization's change management cadence to minimize production risk.

Do we need to patch if RDP is disabled or not exposed externally?

Disabling RDP or restricting network access significantly reduces risk, but patching remains prudent as a defense-in-depth measure. Insider threats, compromised internal systems, or accidental RDP exposure are realistic scenarios. Verify RDP is actually disabled across your environment rather than relying on policy alone.

What should we monitor for if we can't patch immediately?

Monitor for svchost.exe, csrss.exe, or other system process crashes tied to RDP sessions; unexpected process spawning after RDP connections; failed RDP authentication floods from suspicious IPs; and any alerts from EDR tools flagging memory corruption or heap exploitation patterns. Combine network-level RDP restrictions with enhanced logging to create compensating controls.

Is this vulnerability being actively exploited?

As of the last update, CVE-2026-42985 is not listed in CISA's Known Exploited Vulnerabilities catalog, meaning no public reports of active exploitation exist. However, this does not guarantee that attacks are not occurring or will not occur post-patch—organizations should assume exploitation will follow wider patch adoption and prepare defensive postures accordingly.

This analysis is provided for informational purposes to support security decision-making. Patch version numbers and specific KB references must be verified against official Microsoft Security Update guidance before deployment. Exploit details and weaponized proof-of-concept code are not provided. Organizations should conduct risk assessment relative to their specific environment, threat model, and asset criticality. SEC.co makes no warranty regarding completeness or real-time accuracy of this assessment. Consult your vendor security advisory and internal policy before implementing any remediation measures. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).