Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-reachable client bug with no attacker auth (PR:N) but victim must connect to a malicious RDP server (UI:R); UAF yields full RCE, so C/I/A all High.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft's Remote Desktop Client (the RDP client, mstsc.exe, shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) allows an unauthorized attacker to run arbitrary code over the network by triggering a use-after-free memory-corruption condition. Exploitation requires the victim to connect to an attacker-controlled or compromised RDP endpoint (UI:R), after which the malicious server can corrupt client-side memory to achieve full code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open an outbound Remote Desktop connection to an attacker-controlled or compromised RDP server - the malicious server, not an unauthenticated push to the victim, delivers the crafted RDP data that triggers the use-after-free in the client. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, score 8.8) indicates a network-reachable, low-complexity, unauthenticated attack with high confidentiality, integrity, and availability impact, but crucially gated by required user interaction (UI:R) - the victim must initiate or be lured into an RDP connection to a hostile server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious RDP server (or compromises a legitimate one) and lures a victim into connecting, for example by emailing a crafted .rdp file or a rdp:// link. When the victim's Remote Desktop Client processes the server's responses, the attacker triggers the use-after-free to corrupt heap memory and execute arbitrary code in the context of the connecting user. … |
| Remediation | Patch available per vendor advisory - apply the Microsoft security update for CVE-2026-50474 referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50474, selecting the update corresponding to each affected OS (Windows 10 1607/1809/21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2012 through 2025 including Server Core); exact fixed build numbers are not provided in the input and should be taken from the MSRC page. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, IT teams should inventory RDP-dependent systems and communicate patch availability to stakeholders. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Windows 10 Version 1607
View allLocal privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-p
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-leve
Local privilege escalation in the Windows Win32K kernel subsystem (CWE-122 heap-based buffer overflow) lets an already-a
Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw aff
Local code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and s
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitr
Elevation of privilege in the Windows NTFS file-system driver lets an already-authenticated local user escalate to SYSTE
Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 throug
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating
Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthoriz
Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary
Remote code execution in Microsoft Windows Message Queuing (MSMQ) allows an unauthenticated attacker to run arbitrary co
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44072
GHSA-m2v2-8789-q639