Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.
Technical ContextAI
The Remote Desktop Client is Microsoft's RDP client implementation (mstsc.exe and related components) used to establish remote sessions to Windows hosts. The root cause is a CWE-362 race condition that leads to a heap-based buffer overflow - concurrent operations on heap-allocated buffers (likely during RDP channel negotiation, virtual channel data handling, or graphics decoding) reach an inconsistent state where memory is written past allocated bounds. The 'Buffer Overflow' and 'Race Condition' tags from the intelligence sources confirm the dual nature: the race window is the trigger, and corrupted heap metadata or adjacent objects become the primitive for code execution. Because the flaw resides in the client (not the RDP server service), the attack model is inverted from typical RDP CVEs - a malicious or compromised RDP server attacks connecting clients.
RemediationAI
Apply the patch available per Microsoft's MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42913, deploying the cumulative update or standalone Remote Desktop client release that lists CVE-2026-42913 as fixed for each affected platform; exact fix build numbers should be taken from that advisory and not inferred. As compensating controls until patches are deployed, restrict outbound RDP (TCP/3389 and UDP/3389) at the perimeter so endpoints cannot connect to arbitrary external RDP servers - accepting the trade-off that legitimate remote-to-cloud or vendor-managed RDP use will break and require allowlisting; additionally instruct administrators not to connect to RDP endpoints provided by untrusted parties via .rdp files in emails or web downloads, since UI:R means the user must initiate the connection. Where feasible, route privileged RDP through a Remote Desktop Gateway with strict server allowlisting to remove the ability for users to point their client at an attacker-controlled host.
More in Remote Desktop Client
View allRemote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or
Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Clipboard Virtual Channel Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabil
Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotel
Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotel
Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotel
Windows Remote Desktop Security Feature Bypass Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remo
Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is remotel
Heap-based buffer overflow in Remote Desktop Client allows an authorized attacker to execute code over a network. Rated
A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an
Windows Graphics Component Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is l
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to rea
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35724
GHSA-m239-3rrf-2x78