Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Remote Desktop Client is possible when a user is enticed to connect to an attacker-controlled RDP server, triggering a heap-based buffer overflow (CWE-122). The flaw scores CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) and, while no public exploit is identified at time of analysis, the network-reachable nature and full CIA impact make it a meaningful client-side risk for users connecting to untrusted endpoints.
Technical ContextAI
Microsoft's Remote Desktop Client implements the Remote Desktop Protocol (RDP) over TCP/UDP 3389, parsing a complex stream of virtual-channel, graphics, clipboard, and device-redirection PDUs from the server. CWE-122 (Heap-based Buffer Overflow) indicates that one of these parsers writes attacker-controlled data past the bounds of a heap allocation - typically due to an incorrect length calculation or missing bounds check on a server-supplied field. Because the corruption occurs in the client process, a malicious RDP server (rather than a malicious client) is the threat actor, inverting the usual RDP trust model.
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update for Remote Desktop Client listed in the MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42992, selecting the KB that matches each affected Windows or Remote Desktop app build. Until patches are deployed, restrict outbound TCP/UDP 3389 (and 443 for RD Gateway tunneled sessions) at the perimeter so endpoints cannot reach untrusted RDP servers, and instruct users not to connect to .rdp files or mstsc links from email or web sources; the trade-off is that legitimate connections to third-party hosted desktops will break and must be allowlisted. Where outbound RDP must remain open, force connections through a Remote Desktop Gateway and disable risky virtual channels (clipboard, drive, device redirection) via Group Policy to reduce the attack surface exposed to a hostile server, accepting the usability loss those redirections provide.
More in Windows App
View allHeap-based buffer overflow in Microsoft Remote Desktop Client enables remote code execution when a user connects to a ma
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or
Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Remote Desktop Client Remote Code Execution Vulnerability. Rated high severity (CVSS 8.4), this vulnerability is remotel
Heap-based buffer overflow in Remote Desktop Client allows an authorized attacker to execute code over a network. Rated
An elevation of privilege vulnerability exists in Remote Desktop App for Mac in the way it allows an attacker to load un
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to rea
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RD
Remote code execution in Microsoft Remote Desktop Client arises from a heap-based buffer overflow (CWE-122) that an unau
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or c
Out-of-bounds read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.
Windows App Installer fails to adequately authenticate package data, enabling network-based attackers to conduct spoofin
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35745
GHSA-26qw-9rj6-9q7x