HIGH 7.5

CVE-2026-42993: Heap-Based Buffer Overflow in Remote Desktop Client—Analysis & Patch Guidance

A heap-based buffer overflow vulnerability exists in Microsoft's Remote Desktop Client that allows attackers to execute arbitrary code on affected systems over the network. The vulnerability requires user interaction (such as clicking a malicious file or accepting a connection) and success depends on system configuration, but once exploited grants full code execution with the privileges of the logged-in user. This affects multiple versions of Windows 10, Windows 11, and Windows Server 2022–2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42993 is a heap-based buffer overflow (CWE-122) in the Remote Desktop Client component. The vulnerability exists in how the client handles specially crafted network input, failing to properly validate buffer boundaries before writing data to heap memory. An attacker can craft malicious RDP protocol messages or related network traffic that, when processed by the vulnerable client, overflow a heap buffer and overwrite adjacent memory structures. This memory corruption can be leveraged to achieve arbitrary code execution in the context of the affected user. The CVSS v3.1 score of 7.5 (HIGH) reflects network attack surface, high confidentiality and integrity impact, and the requirement for user interaction or specific system conditions to succeed (AC:H, UI:R).

Business impact

Exploitation of this vulnerability can lead to unauthorized remote code execution on Windows endpoints and servers, enabling attackers to steal sensitive data, deploy malware, establish persistent access, or disrupt operations. Organizations using Remote Desktop Protocol for remote administration or support are at elevated risk. The requirement for user interaction limits mass-worm scenarios but does not eliminate threat; targeted spear-phishing or social engineering can deliver malicious RDP connections or files. For organizations relying on RDP for hybrid or remote workforce management, timely patching is critical to prevent lateral movement and credential compromise.

Affected systems

The vulnerability affects Windows 10 (versions 21H2 and 22H2), Windows 11 (versions 23H2, 24H2, 25H2, and 26H1), Windows Server 2022, and Windows Server 2025. Home and Pro editions of client Windows are in scope, as well as Server SKUs. Any system with an active Remote Desktop Client component is potentially vulnerable; this includes machines configured for inbound RDP connections and those initiating outbound RDP sessions to remote hosts.

Exploitability

Exploitation requires network access to a vulnerable Remote Desktop Client and user interaction—typically accepting or opening a malicious RDP connection, file, or resource. The attack vector is network-based (AV:N), but attack complexity is high (AC:H), meaning the attacker must overcome environmental factors or craft the payload carefully. No public exploit code has been added to CISA's Known Exploited Vulnerabilities catalog as of the data refresh, indicating limited weaponization in the wild at this time. However, the high-impact nature (code execution) makes this an attractive target for sophisticated threat actors, and proof-of-concept development is likely once patches are released and analysis deepens.

Remediation

Microsoft has released security updates for affected Windows versions. Organizations should apply the latest cumulative updates or security patches for Windows 10, Windows 11, and Windows Server 2022–2025 as soon as practicable. Verify patch deployment through your patch management tool. In parallel, consider network segmentation to restrict RDP access to trusted administrative networks, disable RDP on non-essential systems, require multi-factor authentication for RDP logons, and monitor for suspicious RDP connection attempts and process execution anomalies.

Patch guidance

Contact Microsoft or your patch management system for the definitive patch versions and deployment timeline. Patches are expected in monthly cumulative updates (for Windows 10 and 11) and server updates. Prioritize patching servers exposed to the internet and workstations used by high-value targets (finance, HR, C-suite). Test patches in a non-production environment first to ensure compatibility with line-of-business applications, especially those using RDP for remote sessions. Organizations should verify patch completion within 30 days for externally exposed systems and 60 days for internal systems given the HIGH severity and user-interaction requirement.

Detection guidance

Monitor for failed and successful RDP connection attempts, especially from external or unusual source IPs, and alert on multiple failed logon attempts. Review Event Viewer logs (Security log, Event ID 4625 for failed logons, 4624 for successful ones) and terminal server logs for signs of compromise. Implement network-based detection rules for malformed RDP protocol traffic or suspicious payload patterns in RDP sessions. Endpoint Detection and Response (EDR) tools should flag abnormal process creation, code injection, or memory corruption signatures originating from Remote Desktop Client or explorer.exe (if RDP files are opened). Correlate RDP session logs with process execution logs to identify lateral movement post-exploitation.

Why prioritize this

HIGH severity with network attack vector and remote code execution impact demands rapid prioritization. Although user interaction is required, the attack surface is broad—any user handling RDP files or accepting connections is at risk—and the absence of current KEV listing does not guarantee absence of exploitation attempts. Given the criticality of RDP in modern IT operations, delay increases exposure window significantly.

Risk score, explained

The CVSS v3.1 score of 7.5 reflects the combination of network accessibility (AV:N), moderate attack complexity (AC:H due to environmental factors), no privileges required (PR:N), user interaction required (UI:R), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The score is elevated by the consequence of arbitrary code execution but moderated by the user-interaction prerequisite. In organizational context, actual risk depends on RDP exposure, user awareness, and compensating controls (MFA, segmentation, EDR).

Frequently asked questions

Do I need to patch immediately, or can this wait until my regular patch cycle?

For systems exposed to untrusted networks or heavy RDP usage, patching within 30 days is strongly recommended. Internal systems can be prioritized into a 60-day cycle. Do not defer indefinitely; the HIGH severity and remote code execution impact justify accelerated timelines.

What's the difference between AC:H (high attack complexity) and actual exploitability?

AC:H means the attacker must overcome specific conditions—network configuration, system state, or precise payload crafting. It does not mean the exploit is difficult to develop or that public proof-of-concepts won't emerge. Assume exploitation is feasible for resourced threat actors and plan defenses accordingly.

Is RDP disabled by default on Windows 10 and Windows 11?

Yes, RDP is disabled by default on Windows 10 and 11 client editions. However, any system where an administrator or user has explicitly enabled it, or where RDP Server role is installed on a Server SKU, is vulnerable. Review your inventory to confirm which systems actually have RDP enabled.

How does this vulnerability compare to previous RDP vulnerabilities like BlueKeep?

Like BlueKeep (CVE-2019-0708), this is a remote code execution vulnerability in RDP, but it requires user interaction rather than being wormable without authentication. It is less critical from an epidemic standpoint but still high-impact for targeted attacks. Patching discipline and network controls remain essential.

This analysis is based on the vulnerability record as of 2026-06-17 and publicly available information. Patch version numbers, vendor advisories, and specific remediation steps should be verified directly with Microsoft security bulletins. Organizations should conduct their own risk assessment and testing before applying patches. This content is for informational purposes and does not constitute legal, compliance, or specific technical advice for your environment. Always consult with your internal security and IT teams before making infrastructure changes. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).