HIGH 7.5

CVE-2026-45639: Windows RDP Out-of-Bounds Read Information Disclosure (CVSS 7.5)

A flaw in Windows Remote Desktop Protocol (RDP) allows attackers to read sensitive data from memory without authentication or user interaction. An attacker on the network could exploit this vulnerability to extract confidential information, though they cannot modify systems or cause outages. The vulnerability affects numerous Windows versions and related RDP clients.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
26 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45639 is an out-of-bounds read vulnerability (CWE-125) in Windows RDP components. The vulnerability has a CVSS 3.1 score of 7.5 (HIGH), with a network attack vector, low attack complexity, no privilege or user interaction requirements, and confidentiality impact only. The flaw enables unauthenticated remote disclosure of information by crafting malicious RDP traffic, exploiting insufficient bounds checking in memory access operations.

Business impact

This vulnerability poses a significant confidentiality risk to organizations relying on RDP for remote access. Attackers can harvest sensitive data—credentials, session tokens, or business information—traversing the network without detection. While integrity and availability remain unaffected, the exposure of authentication material or proprietary data could facilitate lateral movement, fraud, or competitive espionage. Organizations with Windows-based remote work infrastructure face elevated risk of information theft.

Affected systems

The vulnerability impacts a broad range of Microsoft products: Remote Desktop Client, Windows App, Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2012, 2016, 2019, 2022, and 2025. Any organization running these versions with RDP enabled or deploying remote access clients should assume exposure.

Exploitability

This vulnerability has a low barrier to exploitation. No authentication is required, network access is sufficient, and attack complexity is low—an attacker only needs to send specially crafted RDP protocol packets to trigger the out-of-bounds read. However, exploitation requires network connectivity to RDP endpoints. The vulnerability is not currently listed as actively exploited in the CISA KEV catalog, but its ease of weaponization warrants rapid mitigation.

Remediation

Organizations must apply Microsoft's security patches for affected Windows and RDP client versions. Interim mitigations include restricting RDP access via firewall rules to trusted networks, disabling RDP on systems that do not require it, enforcing network segmentation, and monitoring for suspicious RDP connections. Consider deploying RDP gateway solutions or VPN-mediated access to reduce direct exposure.

Patch guidance

Contact Microsoft directly or consult their advisory for specific patch versions addressing CVE-2026-45639 across the affected product matrix. Patch deployment should prioritize externally exposed RDP services and shared remote access infrastructure. Test patches in non-production environments before broad rollout to ensure compatibility with legacy systems, particularly Windows Server 2012 and 2016 endpoints.

Detection guidance

Monitor RDP traffic (ports 3389 and related) for anomalous patterns: unusual source IPs, failed authentication spikes, or connections outside business hours. Implement network-based IDS/IPS rules targeting malformed RDP packets. On endpoints, enable RDP event logging (Event ID 4625 for failed logons; ID 21 for successful connections) and correlate with unexpected data exfiltration. Memory analysis tools can detect exploitation artifacts in running RDP processes.

Why prioritize this

Despite lacking active exploitation evidence (KEV status: false), the high CVSS score (7.5), unauthenticated attack vector, and broad affected product footprint demand prompt patching. The confidentiality impact and low attack complexity create substantial risk in remote-work-heavy environments. Organizations should treat this as a high-priority patch cycle inclusion, particularly for internet-facing systems.

Risk score, explained

The 7.5 CVSS score reflects high confidentiality impact and network-based exploitability balanced against no integrity or availability compromise. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates severe information disclosure with minimal attacker effort. In environments where RDP secrets directly protect critical assets or where lateral movement amplifies impact, organizational risk may exceed the base CVSS.

Frequently asked questions

Can this vulnerability be exploited over the internet, or only on internal networks?

The vulnerability can be exploited over any network where RDP endpoints are reachable. If RDP is exposed directly to the internet without VPN or gateway protection, the attack surface is global. Organizations should assume external exploitability if RDP ports are publicly accessible.

Will applying this patch break compatibility with older RDP clients?

Microsoft generally maintains backward compatibility in RDP patches. However, test patches in non-production environments before enterprise deployment, especially if you support legacy clients or embedded RDP implementations. Consult Microsoft's advisory for any known compatibility issues.

How does this vulnerability relate to common RDP attacks like BlueKeep?

Like BlueKeep (CVE-2019-0708), this is a network-accessible RDP flaw requiring no user interaction. However, CVE-2026-45639 is limited to information disclosure, not code execution. Both share the common risk of widespread Windows exposure, so organizations should treat RDP patching as a standing priority.

What should I do if I cannot patch immediately?

Implement defensive controls: block RDP ports (3389) at firewalls and only allow from trusted networks, disable RDP on systems that don't require it, enforce network segmentation, monitor RDP logs aggressively, and accelerate inventory of systems using RDP. A VPN-gated access model substantially reduces exploitation risk.

This analysis is based on the published vulnerability record as of June 2026. Patch availability, affected versions, and remediation guidance may change; verify against official Microsoft advisories before deployment. This document does not constitute legal or compliance advice. Organizations should conduct risk assessments aligned with their environment, regulatory obligations, and threat models. No exploit code or weaponized proof-of-concept is provided or intended. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).