What is the CVSS score of CVE-2026-42985?

CVE-2026-42985 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Remote Desktop Client are affected by CVE-2026-42985?

A remote code execution vulnerability in Microsoft Remote Desktop Client (CVE-2026-42985, CVSS 8.8) enables attackers to compromise user endpoints when employees connect to a malicious or compromised…. A patch is available.

How to fix or mitigate CVE-2026-42985?

Within 24 hours: Conduct an inventory of all Microsoft Remote Desktop Client deployments and affected user populations to quantify organizational exposure. Within 7 days: Obtain and validate the vendor patch in a test environment to ensure compatibility with business applications and organizational infrastructure. Within 30 days: Complete staged deployment of the patch to all affected endpoints across the organization.

Remote Desktop Client CVE-2026-42985

EUVD-2026-35756 HIGH

Use After Free (CWE-416)

2026-06-09 secure@microsoft.com

GHSA-c52c-3v9x-965h

Use After Free Memory Corruption Buffer Overflow Remote Desktop Client Windows App Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 23h2 Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2012 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

8.8

CVSS 3.1 · NVD

Temporal: 7.7

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CIRCL (temporal)

7.7 HIGH

cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 18:42 vuln.today

DescriptionNVD

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Stand up malicious RDP server

Delivery

Phish victim with .rdp lure

Exploit

Victim connects outbound to attacker

Install

Server sends crafted RDP PDU

Trigger heap use-after-free in client

Execute

Execute code in user session

Impact

Establish foothold on workstation

Recon

Stand up malicious RDP server

Delivery

Phish victim with .rdp lure

Exploit

Victim connects outbound to attacker

Install

Server sends crafted RDP PDU

Trigger heap use-after-free in client

Execute

Execute code in user session

Impact

Establish foothold on workstation

Vulnerability AssessmentAI

Exploitation	The victim must initiate an RDP connection from a vulnerable Remote Desktop Client to an attacker-controlled or compromised RDP server (UI:R in the CVSS vector confirms required user interaction such as opening an .rdp file, clicking a rdp:// URI, or manually connecting). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 with AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H paints a high-severity remote unauthenticated picture, but the UI:R component is load-bearing: the victim must initiate or accept an RDP connection to a malicious server, so this is not a wormable server-side flaw like BlueKeep. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker stands up a malicious RDP server and lures a target - for example via a phishing email with an .rdp attachment, a malicious shortcut, or a watering-hole link - to connect to it. On connection, the rogue server sends crafted RDP protocol data that triggers the heap corruption in the client, executing attacker code in the user's session on the victim workstation. …
Remediation	Apply the Microsoft patch referenced in the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42985 (patch available per vendor advisory; consult the advisory for the exact KB and build numbers per Windows SKU). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct an inventory of all Microsoft Remote Desktop Client deployments and affected user populations to quantify organizational exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42985 vulnerability details – vuln.today

Back

Remote Desktop Client CVE-2026-42985

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code