HIGH 7.5

CVE-2026-42992: Remote Desktop Client Heap Buffer Overflow RCE

A heap-based buffer overflow vulnerability exists in Microsoft Remote Desktop Client that could allow an attacker to execute malicious code on a user's machine over the network. The attack requires user interaction (such as connecting to a malicious RDP server) and involves complex conditions to exploit, but if successful would grant an attacker full control over the affected system. This is a serious flaw affecting multiple Windows versions and server platforms.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
23 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42992 is a heap-based buffer overflow (CWE-122) in the Remote Desktop Client component. The vulnerability exists in memory management logic that processes network-supplied data without adequate bounds checking. An attacker can craft a malicious RDP server response that triggers a heap overflow when the client processes the response, potentially corrupting heap metadata and enabling arbitrary code execution in the context of the user running the Remote Desktop Client. The CVSS 3.1 score of 7.5 (HIGH) reflects a network attack vector with high complexity and required user interaction, but with complete confidentiality, integrity, and availability impact.

Business impact

Successful exploitation could allow an attacker to execute code on user systems connecting to Remote Desktop sessions, potentially leading to data theft, malware installation, lateral network movement, or ransomware deployment. Organizations relying on Remote Desktop for administrative access or employee connectivity face elevated risk. The broad platform coverage across Windows 10, Windows 11, and Windows Server 2016–2025 means patching requirements span diverse environments. Unpatched systems remain vulnerable to targeted attacks, especially in scenarios where users connect to untrusted or compromised RDP servers.

Affected systems

The vulnerability affects Microsoft Remote Desktop Client across Windows App, Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2016, 2019, 2022, 2025). Any system running an affected Windows version with Remote Desktop Client installed is at risk, particularly those frequently used for remote administration or remote work scenarios.

Exploitability

Exploitation requires network access and user interaction—specifically, the user must initiate a Remote Desktop connection to a server controlled or compromised by the attacker. The attack complexity is rated high, meaning the attacker must overcome specific conditions (such as heap layout unpredictability or ASLR mitigations) to reliably achieve code execution. No public exploit code has been identified as of the vulnerability's disclosure, and the vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the attack is feasible with crafted RDP responses, making it a realistic concern in targeted scenarios.

Remediation

Organizations should prioritize applying vendor security updates as they become available for affected Windows versions. Until patches are deployed, mitigation strategies include restricting Remote Desktop access via network firewalls, disabling RDP on systems that do not require it, using VPN or bastion hosts to limit direct RDP exposure, and enforcing strong authentication (MFA) on Remote Desktop gateways. Users should avoid connecting to untrusted or unfamiliar RDP servers.

Patch guidance

Monitor Microsoft Security Updates and the Windows Release Health Dashboard for patches addressing CVE-2026-42992. Patches will be released for all affected Windows versions listed above. Verify patch availability and deployment through your Windows Update channels or WSUS infrastructure. Test patches in non-production environments first, given the broad affected platform list. Once patches are available, prioritize systems that expose RDP to untrusted networks or support high-value remote access scenarios.

Detection guidance

Monitor Remote Desktop traffic for anomalous RDP protocol responses or malformed packets that may trigger the buffer overflow. Endpoint detection and response (EDR) tools should flag heap corruption events, unusual process behavior following RDP connections, or unexpected code execution originating from Remote Desktop Client processes. Log and alert on RDP connections from external or suspicious IP ranges. Correlate RDP connection logs with security event logs for failed authentications or privilege escalation attempts that might indicate exploitation attempts.

Why prioritize this

This vulnerability merits immediate prioritization because it enables unauthenticated remote code execution, affects a widely-deployed and critical remote access component, impacts dozens of Windows versions, and targets systems that often have high-value data or network access. Although exploitation requires user interaction and is complex, the impact is severe and the attack surface is large. Organizations managing hybrid or remote-work infrastructure should treat this as critical.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects: (1) network attack vector—no local access required; (2) high complexity—attacker must overcome memory protections and heap state conditions; (3) required user interaction—the user must connect to a malicious RDP server; (4) unchanged scope—impact is confined to the user's system; (5) complete confidentiality, integrity, and availability impact—successful exploitation grants arbitrary code execution. The score appropriately balances the severity of impact against the constraints and preconditions needed for exploitation.

Frequently asked questions

Can an attacker exploit this without user action?

No. The vulnerability requires the user to initiate a Remote Desktop connection to a server controlled by the attacker. An attacker cannot directly trigger the flaw from the network without this user interaction step, which raises the bar for opportunistic exploitation but remains a real risk in targeted scenarios.

Does this affect Remote Desktop Protocol servers, or only clients?

This vulnerability specifically affects the Remote Desktop Client (the software used to connect to RDP servers). Compromised servers can exploit connected clients, but the flaw itself resides in the client-side software.

What should we do while waiting for patches?

Implement network-level controls: restrict RDP access via firewalls, disable RDP on non-essential systems, route RDP through VPNs or bastion hosts, and enforce multi-factor authentication on RDP gateways. These measures reduce the attack surface while patches are being developed and deployed.

How do I know if we've been affected by this vulnerability?

Review EDR and SIEM logs for heap corruption alerts, unusual process behavior tied to Remote Desktop, or unexpected code execution following RDP connections. Check Windows event logs for suspicious RDP activity. However, exploitation may leave minimal forensic traces, so network-level detection and proactive patching remain the strongest defense.

This analysis is based on vulnerability data published as of June 2026. CVSS scores, affected product lists, and patch availability are subject to change as vendors release updates and additional analysis emerges. Security teams should verify all patch versions, supported versions, and deployment timelines directly against official Microsoft Security Updates and vendor advisories before making deployment decisions. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the analysis date; however, absence from KEV does not guarantee the absence of weaponized exploit development. Always conduct security testing in controlled environments and consult vendor documentation for compatibility and rollback procedures. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).