Skip to main content

Remote Desktop Client EUVDEUVD-2026-35724

| CVE-2026-42913 HIGH
Race Condition (CWE-362)
2026-06-09 secure@microsoft.com GHSA-m239-3rrf-2x78
7.5
CVSS 3.1 · Vendor: microsoft
Temporal: 6.5
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.5 MEDIUM
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 18:37 vuln.today

DescriptionCVE.org

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.

Technical ContextAI

The Remote Desktop Client is Microsoft's RDP client implementation (mstsc.exe and related components) used to establish remote sessions to Windows hosts. The root cause is a CWE-362 race condition that leads to a heap-based buffer overflow - concurrent operations on heap-allocated buffers (likely during RDP channel negotiation, virtual channel data handling, or graphics decoding) reach an inconsistent state where memory is written past allocated bounds. The 'Buffer Overflow' and 'Race Condition' tags from the intelligence sources confirm the dual nature: the race window is the trigger, and corrupted heap metadata or adjacent objects become the primitive for code execution. Because the flaw resides in the client (not the RDP server service), the attack model is inverted from typical RDP CVEs - a malicious or compromised RDP server attacks connecting clients.

RemediationAI

Apply the patch available per Microsoft's MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42913, deploying the cumulative update or standalone Remote Desktop client release that lists CVE-2026-42913 as fixed for each affected platform; exact fix build numbers should be taken from that advisory and not inferred. As compensating controls until patches are deployed, restrict outbound RDP (TCP/3389 and UDP/3389) at the perimeter so endpoints cannot connect to arbitrary external RDP servers - accepting the trade-off that legitimate remote-to-cloud or vendor-managed RDP use will break and require allowlisting; additionally instruct administrators not to connect to RDP endpoints provided by untrusted parties via .rdp files in emails or web downloads, since UI:R means the user must initiate the connection. Where feasible, route privileged RDP through a Remote Desktop Gateway with strict server allowlisting to remove the ability for users to point their client at an attacker-controlled host.

CVE-2026-42985 HIGH
8.8 Jun 09

Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or

CVE-2025-48817 HIGH
8.8 Jul 08

Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

CVE-2024-38131 HIGH
8.8 Aug 13

Clipboard Virtual Channel Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-29362 HIGH
8.8 Jun 14

Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotel

CVE-2022-22017 HIGH
8.8 May 10

Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotel

CVE-2021-34535 HIGH
8.8 Aug 12

Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotel

CVE-2021-1669 HIGH
8.8 Jan 12

Windows Remote Desktop Security Feature Bypass Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2024-49105 HIGH
8.4 Dec 12

Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2025-27487 HIGH
8.0 Apr 08

Heap-based buffer overflow in Remote Desktop Client allows an authorized attacker to execute code over a network. Rated

CVE-2019-0887 HIGH
8.0 Jul 15

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an

CVE-2022-41121 HIGH
7.8 Dec 13

Windows Graphics Component Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is l

CVE-2026-45639 HIGH
7.5 Jun 09

Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to rea

Share

EUVD-2026-35724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy