CVE-2026-44801: Remote Desktop Client Use-After-Free Code Execution Vulnerability
A use-after-free vulnerability in Microsoft's Remote Desktop Client and Windows versions allows an attacker to execute code on your computer over the network. The flaw requires user interaction (such as clicking a link or opening a file) and specific system conditions, but once triggered, grants full control of the affected machine. This affects Remote Desktop Client, Windows App, and multiple Windows 10, 11, and Server editions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-787
- Affected products
- 26 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44801 is a use-after-free memory corruption vulnerability (CWE-416, CWE-787) in the Remote Desktop Client stack. The vulnerability arises when a memory object is freed but subsequently referenced, allowing an unauthenticated network attacker to corrupt process memory and redirect execution flow. The attack vector is network-based (AV:N), requires high complexity conditions (AC:H) to reliably exploit, depends on user interaction (UI:R), and impacts the local system only (S:U). Successful exploitation results in arbitrary code execution with the privileges of the user running the RDP client.
Business impact
This vulnerability poses a significant risk to organizations relying on Remote Desktop Protocol for remote workforce access, helpdesk operations, or server administration. Exploitation could lead to lateral movement within your network, credential theft, ransomware deployment, or persistent backdoor installation. The broad product footprint—spanning multiple Windows versions and the cross-platform Windows App—means many enterprises face exposure. Organizations using RDP as a primary remote access mechanism should treat this as a priority remediation item.
Affected systems
Microsoft Remote Desktop Client, Windows App, Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2012, 2016, 2019, 2022, and 2025. Organizations running legacy Windows 10 versions or all currently supported Windows 11 editions are in scope. Server environments hosting RDP gateways or using RDP for administrative access are particularly affected.
Exploitability
The vulnerability requires network access and user interaction, lowering real-world exploitability compared to wormable flaws. An attacker must craft a malicious RDP connection or trigger the vulnerable code path through user action. However, the attack does not require authentication (PR:N), meaning any network-connected attacker can attempt exploitation. The complexity rating suggests reliably triggering the use-after-free requires specific timing or system state conditions, but this does not eliminate risk—determined actors often succeed after reconnaissance. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, but this may reflect early disclosure status rather than absence of active exploitation.
Remediation
Apply security updates from Microsoft as soon as they become available for your Windows version and Remote Desktop Client installation. Microsoft typically releases patches via Windows Update or WSUS. Organizations should verify patch availability through the official Microsoft Security Update Guide and confirm successful deployment across all affected systems. Interim mitigation includes restricting RDP access via firewall rules, disabling RDP where not needed, using network segmentation, and enforcing VPN-based access for remote users rather than direct RDP exposure.
Patch guidance
Consult Microsoft's official security advisory and the Security Update Guide (microsoft.com/msrc) for specific patch version numbers and deployment instructions for your Windows edition. Test patches in a non-production environment first, especially on critical servers. For Windows 10 and 11, patches deploy through Windows Update; administrators should verify auto-update is enabled or manually trigger scanning. For Windows Server, use WSUS, System Center Configuration Manager, or manual download from the Microsoft Update Catalog. Organizations with extended support contracts should prioritize systems running Windows Server 2012 and Windows 10 1607, as these older versions may receive accelerated patching.
Detection guidance
Monitor for anomalous RDP session activity, including unexpected connections from external IPs, failed authentication attempts, and sessions from unusual geographic locations. Network detection should include examination of RDP traffic (port 3389) for suspicious patterns or known exploit signatures once details emerge. Endpoint detection should focus on Remote Desktop Client crashes or unexpected memory access violations, process injection into RDP-related processes, and credential access following RDP sessions. Windows event logs (Security event ID 4625 for failed logins, 4624 for successful sessions) should be reviewed for signs of brute-force or exploitation attempts. Consider enabling Enhanced RDP Security and restricting RDP access to trusted subnets only.
Why prioritize this
This vulnerability scores HIGH (CVSS 7.5) and combines network-based attack surface with code execution impact. While user interaction and complexity requirements reduce immediate risk, the broad Windows footprint and prevalence of RDP in enterprise environments warrant rapid patching. Organizations should prioritize systems exposed directly to untrusted networks (RDP gateways, internet-facing servers) and those used for sensitive administrative functions. Not yet in KEV, but early disclosure and broad affected product range suggest likely future exploitation as details become public.
Risk score, explained
The CVSS 7.5 HIGH rating reflects a network-accessible, authentication-free attack that achieves full system compromise (confidentiality, integrity, and availability impact) on the local system. The score is tempered by AC:H (complexity) and UI:R (user interaction requirements), which limit exploitability in practice. However, the large install base of Remote Desktop Client and Windows means even moderate real-world exploitation rates could affect thousands of organizations. Organizations with exposed RDP services or frequent external user access should treat this as urgently as critical-scored vulnerabilities.
Frequently asked questions
Do I need to patch if I don't use Remote Desktop Client?
If your organization does not use RDP for any administrative, helpdesk, or remote access purposes, risk is minimal. However, verify that RDP services are disabled on all systems; misconfigured or forgotten RDP instances are common. Patch regardless if you cannot definitively confirm RDP is not in use across your environment.
What should our incident response team do if we suspect exploitation?
Enable Enhanced Logging for RDP connections and audit all session activity in the 24-48 hours prior to detection. Check for unexpected local account creation, privilege escalation, lateral movement attempts, and data exfiltration. Immediately segment affected systems and revoke credentials for any accounts that accessed or authenticated via RDP during the suspect window. If credential theft is suspected, reset passwords for all administrative accounts.
Are there workarounds if we cannot patch immediately?
Restrict RDP access via Windows Firewall rules, disable RDP on non-essential systems, and route RDP connections only through a VPN gateway with multi-factor authentication. These controls reduce attack surface but do not eliminate risk; patching should remain the primary remediation goal. Do not rely on workarounds as a long-term strategy.
Does this vulnerability affect RDP Gateway services on servers?
Yes. Windows Server editions hosting RDP Gateway or RDP Connection Broker roles are affected. These critical infrastructure components should be patched as a first priority, as they are often exposed to less-trusted networks. Test patches thoroughly in your gateway environment before production deployment to avoid service disruptions.
This analysis is provided for informational purposes and should not be construed as legal or compliance advice. Organizations must validate all vulnerability details, patch versions, and compatibility requirements against official Microsoft advisories before deployment. Patch testing should occur in isolated environments first. This explainer does not constitute an exhaustive assessment of your organization's exposure; conduct your own vulnerability scans and risk reviews. SEC.co makes no warranty regarding the accuracy or completeness of this analysis and assumes no liability for decisions made based on this content. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42985HIGHRemote Desktop Client Use-After-Free RCE Vulnerability
- CVE-2026-45461HIGHMicrosoft Office Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-45472HIGHUse-After-Free in Microsoft Office Enables Local Code Execution
- CVE-2026-45474HIGHCritical Use-After-Free in Microsoft Office (CVSS 8.4)
- CVE-2026-47653HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability
- CVE-2026-47654HIGHCritical RDP Use-After-Free Vulnerability in Windows Server