CVE-2026-48563: Remote Desktop Client Use-After-Free Code Execution Vulnerability
A use-after-free bug in Microsoft's Remote Desktop Client can allow an attacker to run malicious code on a victim's machine over the network. The attacker would need to trick the user into connecting to a compromised or malicious Remote Desktop server, but once successful, they gain full control. This affects Windows 10 and Windows 11 systems, as well as Windows Server 2019, 2022, and 2025.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-787
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-48563 is a use-after-free memory vulnerability (CWE-416) in the Remote Desktop Client that also involves out-of-bounds write behavior (CWE-787). The flaw allows an unauthenticated attacker to craft a malicious Remote Desktop Protocol (RDP) response that triggers unsafe memory access during the client's processing. When a user initiates an RDP connection to an attacker-controlled or compromised server, the client dereferences freed memory or writes to invalid memory regions, enabling arbitrary code execution with the privileges of the connected user. The vulnerability requires user interaction (the user must initiate or accept a connection) but does not require prior authentication, making it a network-accessible attack vector.
Business impact
Organizations relying on Remote Desktop for administration, helpdesk, or hybrid work face a direct code execution risk. Compromise of a user's workstation through RDP can lead to lateral movement, data exfiltration, malware deployment, and supply chain attacks if the compromised system has elevated access or trust relationships. The broad distribution across Windows 10 and Windows 11 versions—plus critical server OSes—means remediation scope is typically large. Unpatched Remote Desktop services exposed to untrusted networks present exceptional risk.
Affected systems
The vulnerability affects multiple Windows versions: Windows 10 (versions 1809, 21H2, and 22H2), all supported Windows 11 releases (23H2, 24H2, 25H2, and 26H1), and Windows Server 2019, 2022, and 2025. Any system running the Remote Desktop Client on these versions is potentially vulnerable when initiating outbound connections. Organizations should prioritize inventory of systems using RDP for remote management or user access.
Exploitability
Exploitation requires an attacker to control or compromise the Remote Desktop server endpoint and wait for (or trick) a client to connect. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects network accessibility but high attack complexity and required user interaction—the user must initiate or accept an RDP connection. This is not a wormable vulnerability, but targeted attacks against administrative users or supply-chain compromises of RDP gateway servers could be effective. No active exploitation in the wild is currently documented (KEV status is false), but the severity warrants swift patching before adversaries develop reliable exploits.
Remediation
Apply the security update from Microsoft covering CVE-2026-48563 for your affected Windows version. Verify the specific patch KB article and version numbers in the official Microsoft Security Update Guide. Additionally, implement network controls: restrict RDP access to trusted networks or IP ranges, disable RDP on systems that do not require it, use VPN or jump-host architectures to gate RDP connectivity, and consider enforcing multi-factor authentication for RDP sessions. These compensating controls reduce attack surface while patches are tested and deployed.
Patch guidance
Check the Microsoft Security Updates portal for the KB article corresponding to CVE-2026-48563 and your Windows version. Patches are typically released on monthly Patch Tuesday cycles or as out-of-band emergency updates given the severity. Test patches in a non-production environment before broad rollout. For Windows 10, confirm which version you are running (1809, 21H2, or 22H2) to obtain the correct update. Windows 11 users should verify their specific release (23H2, 24H2, 25H2, or 26H1). Server administrators should prioritize Server 2019, 2022, and 2025 systems, especially those exposed to the internet or untrusted networks.
Detection guidance
Monitor Remote Desktop Client error logs and system event logs for abnormal RDP session activity, including failed connection attempts or unexpected disconnects that might indicate an exploit attempt. Watch for suspicious processes spawned from the Remote Desktop Client executable. Network detection can flag unusual RDP traffic patterns (e.g., connections from anomalous sources or to unusual ports). Implement host-based intrusion detection focusing on memory corruption exploitation signatures. EDR solutions should flag process execution anomalies following RDP session initiation. Correlate system crashes or memory access violations in the RDP client with connection logs to identify potential exploitation attempts.
Why prioritize this
This vulnerability merits high priority due to its HIGH CVSS score (7.5), broad impact across supported Windows client and server versions, network accessibility, and potential for complete system compromise. Although exploitation requires user interaction and server-side compromise, the consequences are severe—remote code execution with user privileges. The absence from the KEV catalog suggests limited current active exploitation, but the technical severity and widespread affected base warrant immediate assessment and rapid patching. Delaying remediation increases the window for adversary development of reliable exploits.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: (1) Network Attack Vector—attackers can exploit from the network without being present on the system; (2) High Attack Complexity—the attacker must set up a malicious server and induce user connection, or compromise an existing one; (3) No Privileges Required—the attacker does not need prior access; (4) User Interaction Required—a user must initiate an RDP connection; (5) Unchanged Scope—the vulnerability does not jump trust boundaries; (6) High Confidentiality, Integrity, and Availability Impact—successful exploitation yields complete code execution. The score balances severe impact against moderate barriers to exploitation.
Frequently asked questions
Do I need to be connected to the internet for this vulnerability to affect me?
No, but the attacker must be able to reach your system (or a server you connect to) over the network. If you use RDP over a private network, isolate that network from untrusted systems. If you expose RDP to the internet, the risk is immediate and global.
Can this be exploited without a user doing anything?
No. A user must initiate or accept a Remote Desktop connection for the vulnerability to trigger. An attacker typically sets up a malicious RDP server and tricks or targets a user into connecting to it. However, if an organization's RDP gateway or jump server is compromised, the attacker can exploit clients connecting to it.
Does disabling Remote Desktop completely protect me?
Yes, if RDP is not needed, disabling it eliminates the attack surface. However, most organizations rely on RDP for administration and support. Instead, implement network-level access controls (VPN, firewall rules, IP whitelisting) and apply patches promptly.
Is this vulnerability actively being exploited in the wild?
No confirmed active exploitation has been documented as of the vulnerability's publication. However, given the severity and the technical details now public, development of reliable exploits is likely underway. Treat the absence of current KEV status as a narrow window to patch before adversaries weaponize the flaw.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Security teams should verify all patch availability, affected version lists, and mitigation strategies against official Microsoft security advisories before implementation. The absence of KEV status does not guarantee the absence of active exploitation; threat intelligence should be consulted for real-time attack data. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance and recommends engaging qualified security professionals for organization-specific risk assessment and patching strategies. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42985HIGHRemote Desktop Client Use-After-Free RCE Vulnerability
- CVE-2026-44801HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability
- CVE-2026-45461HIGHMicrosoft Office Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-45472HIGHUse-After-Free in Microsoft Office Enables Local Code Execution
- CVE-2026-45474HIGHCritical Use-After-Free in Microsoft Office (CVSS 8.4)
- CVE-2026-47653HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability