CVE-2026-47653: Remote Desktop Client Use-After-Free Code Execution Vulnerability
A use-after-free vulnerability in Microsoft's Remote Desktop Client allows an attacker to execute arbitrary code on a victim's computer over the network. The attacker does not need valid credentials, but the user must interact with the application (such as clicking a link or opening a file) for the attack to succeed. This is a serious flaw affecting many versions of Windows 10, Windows 11, and Windows Server editions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-787
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47653 is a use-after-free memory corruption vulnerability (CWE-416) combined with a buffer overflow condition (CWE-787) in the Remote Desktop Client component. The vulnerability exists in the network-facing RDP protocol handler, allowing an unauthenticated attacker to craft a malicious RDP connection or session that triggers memory corruption. Successful exploitation results in arbitrary code execution within the security context of the logged-in user. The vulnerability requires user interaction to trigger, reducing but not eliminating the risk in environments where users receive social engineering or watering-hole attacks.
Business impact
This vulnerability poses a significant risk to organizations relying on Remote Desktop services for remote access or administration. An attacker can gain complete control over an affected endpoint, leading to data theft, lateral movement, ransomware deployment, or business disruption. The broad range of affected Windows versions and the requirement for user interaction make this particularly dangerous in environments with high-risk user populations or where RDP is exposed to less-trusted networks. Patch deployment should be prioritized to reduce exposure window.
Affected systems
The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. Any organization running RDP client functionality on these systems—whether for remote administration, helpdesk access, or user remote work—is potentially affected. The wide distribution across both client and server operating systems means most enterprises will have affected assets.
Exploitability
The vulnerability is moderately accessible to attackers. Network accessibility and lack of authentication requirements lower the barrier to exploitation, but the requirement for user interaction (clicking a malicious link, accepting a connection, or opening a specially crafted file) provides some defensive value. An attacker would typically need to socially engineer a target or leverage a trusted communication channel to deliver the trigger. Once user interaction occurs, code execution happens without additional warnings or prompts, making detection challenging for end users.
Remediation
Microsoft has released security updates addressing this vulnerability. Organizations should apply patches to all affected Windows endpoints as soon as feasible, prioritizing systems with direct RDP exposure or heavy remote access usage. In addition to patching, consider implementing network-level defenses: restrict RDP access via firewall rules, use VPN for remote access rather than direct RDP exposure, enable Network Level Authentication (NLA) where applicable, and monitor for suspicious RDP connection attempts. For systems that cannot be patched immediately, isolating RDP access to trusted networks or disabling the service until patched provides temporary risk reduction.
Patch guidance
Consult Microsoft's official security advisory and update your systems through Windows Update or WSUS. Verify that patches are applied to Windows 10 (all listed versions), Windows 11 (all listed versions), and Windows Server editions (2012 through 2025). Test patches in a staging environment before broad deployment to ensure compatibility with line-of-business applications. Given the HIGH severity rating and network exposure risk, expedited patching (within 14–30 days) is recommended for most organizations. Confirm patch installation by checking Windows Update history and system information for the relevant KB article number.
Detection guidance
Monitor RDP logs (Event Viewer, Remote Desktop Event Logs) for failed or unusual connection attempts, especially from external sources. Endpoint Detection and Response (EDR) solutions should flag memory corruption or code injection attempts originating from RDP processes. Network intrusion detection systems can alert on malformed RDP protocol messages or suspicious RDP traffic patterns. In addition, track successful RDP connections from unexpected sources or at unusual times. Organizations with mature logging should correlate RDP access logs with endpoint telemetry to identify potential exploitation attempts before code execution occurs.
Why prioritize this
This vulnerability ranks as HIGH priority due to the combination of network exploitability, HIGH CVSS score (8.8), broad affected asset base across Windows 10, 11, and Server editions, and the potential for complete system compromise. Although user interaction is required, the vector remains practical for attackers using social engineering or supply-chain compromises. The lack of KEV status as of the publication date suggests limited real-world active exploitation to date, but that is not a reason to defer patching. Organizations should treat this as a top-tier remediation target to prevent escalating risk as exploit code becomes more widely available.
Risk score, explained
The CVSS v3.1 score of 8.8 (HIGH) reflects the critical combination of factors: network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The requirement for user interaction (UI:R) prevents a critical rating but does not materially reduce the risk in realistic attack scenarios. This score appropriately prioritizes rapid patching and defensive measures.
Frequently asked questions
Do I need valid credentials to exploit this vulnerability?
No. The vulnerability can be triggered by an unauthenticated attacker over the network. However, the victim must interact with the application—for example, by accepting a malicious RDP connection or clicking a link embedded in a phishing email that triggers the RDP client. This interaction requirement is the primary user-side defense.
Which Windows versions are most critical to patch first?
Organizations should prioritize any Windows 10 or 11 system where users actively use Remote Desktop or where RDP is exposed to external networks. Server editions (2016, 2019, 2022, 2025) used as RDP jump hosts or Terminal Servers should also be prioritized immediately. Older versions like Windows 10 1607 may have fewer active deployments but should not be overlooked if they remain in production.
Can I disable Remote Desktop to reduce my risk until patches are available?
Yes. Disabling RDP on non-critical systems or restricting RDP access through firewall rules can significantly reduce your attack surface. However, many organizations rely on RDP for remote administration and support. A more balanced approach is to restrict RDP to VPN-connected or trusted IP ranges, enable Network Level Authentication, and apply patches as soon as possible.
How long do I have before this becomes a critical threat?
The vulnerability is not yet in the CISA KEV catalog, indicating limited active exploitation as of the publication date. However, do not rely on this as a reason to delay patching. Typically, exploit code becomes public or widely available within weeks to months of vulnerability disclosure. Plan to patch within 14–30 days to stay ahead of the threat curve.
This analysis is based on publicly disclosed vulnerability information as of the publication date. Patch version numbers, exact vulnerability details, and affected component lists should be verified against Microsoft's official security advisory and vendor guidance. SEC.co does not guarantee the completeness or accuracy of third-party vendor data. Organizations should conduct their own risk assessment and testing before applying patches or implementing mitigations in production environments. This vulnerability intelligence is provided for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42985HIGHRemote Desktop Client Use-After-Free RCE Vulnerability
- CVE-2026-44801HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability
- CVE-2026-45461HIGHMicrosoft Office Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-45472HIGHUse-After-Free in Microsoft Office Enables Local Code Execution
- CVE-2026-45474HIGHCritical Use-After-Free in Microsoft Office (CVSS 8.4)
- CVE-2026-47654HIGHCritical RDP Use-After-Free Vulnerability in Windows Server