Microsoft fixes two Windows RDP flaws that can expose sensitive data

Microsoft has fixed two Windows Remote Desktop Protocol vulnerabilities that can allow an unauthenticated attacker to disclose sensitive information over a network.

The flaws are tracked as CVE-2026-42908 and CVE-2026-45639. Both were patched in Microsoft’s June 9, 2026 security updates and both affect Windows Remote Desktop Protocol.

These are not remote code execution bugs. They are information disclosure vulnerabilities. Still, they matter because RDP is often exposed in business networks, and memory disclosure bugs can help attackers build more reliable follow-up attacks.

Both RDP bugs allow remote information disclosure

The NVD entry for CVE-2026-42908 says an out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.

The separate NVD entry for CVE-2026-45639 uses the same description and links the issue to Windows RDP. Both vulnerabilities are associated with CWE-125, which covers out-of-bounds read conditions.

Microsoft assigned both vulnerabilities a CVSS 3.1 score of 7.5. The score reflects a network-based attack that requires no privileges and no user interaction, but only affects confidentiality.

CVE	CVE-2026-42908	CVE-2026-45639
Component	Windows Remote Desktop Protocol	Windows Remote Desktop Protocol
Impact	Information disclosure	Information disclosure
Bug class	Out-of-bounds read	Out-of-bounds read
CWE	CWE-125	CWE-125
CVSS score	7.5	7.5
Attack vector	Network	Network
User interaction	Not required	Not required

Why these RDP vulnerabilities matter

RDP remains a high-value target because it provides remote access to Windows systems. Even when a flaw only discloses information, attackers can use leaked memory details to weaken defenses or support a larger attack chain.

The June 2026 Patch Tuesday roundup lists both RDP flaws among the important vulnerabilities fixed this month. Microsoft’s June update cycle also addressed a large number of other Windows, Office, Exchange, and Remote Desktop Client issues.

For organizations, the main risk comes from exposed RDP services and systems that handle sensitive sessions. A successful information disclosure attack may reveal data from memory, which can become useful when combined with other vulnerabilities or stolen credentials.

• Attackers can reach the flaws remotely over the network.
• No authentication is required for the vulnerability conditions described in the CVSS vector.
• No user interaction is required.
• The confirmed impact is confidentiality loss, not direct data modification or service disruption.
• Internet-exposed RDP endpoints deserve the fastest attention.

Microsoft patched the flaws in June security updates

The Microsoft CVE-2026-42908 advisory and Microsoft CVE-2026-45639 advisory list the official fixes and affected products through the Microsoft Security Update Guide.

The vulnerabilities affect Windows versions where the vulnerable RDP component is present. This includes supported Windows client and server releases that received June 2026 cumulative updates or security rollups.

Admins should confirm that the June 2026 Windows updates were deployed successfully, especially on servers and endpoints that allow Remote Desktop connections.

Priority	Systems to check first
Highest	Internet-exposed RDP servers and Remote Desktop gateways
High	Jump servers, admin workstations, and domain management systems
High	Servers used for remote support or shared administrative access
Medium	Internal endpoints with RDP enabled but restricted by firewall rules
Medium	Systems where RDP is installed but not actively used

What administrators should do now

Microsoft’s June 2026 updates should serve as the primary fix. Organizations should also review how RDP is exposed, because patching one month’s flaws does not remove the broader risk created by open remote access services.

The CVE-2026-42908 record and CVE-2026-45639 record show the same high-severity CVSS vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. That means the attack can happen over the network, with low complexity, no privileges, and no user interaction.

Security teams should treat that combination seriously even though the impact category is information disclosure. A network-reachable memory disclosure bug in RDP can provide useful clues for attackers during reconnaissance and exploit development.

• Install the June 2026 Windows security updates on affected systems.
• Confirm update status through endpoint management tools, not only manual checks.
• Block direct internet access to RDP wherever possible.
• Place RDP behind VPN, Zero Trust Network Access, or a hardened bastion host.
• Use Network Level Authentication and strong multi-factor authentication.
• Monitor failed and unusual RDP connection attempts.
• Disable RDP on systems that do not need it.

June Patch Tuesday also included several Remote Desktop fixes

These two RDP information disclosure bugs arrived alongside several Remote Desktop Client vulnerabilities in Microsoft’s June 2026 Patch Tuesday release. Some of those client-side issues were rated critical because they involve remote code execution.

The Patch Tuesday report counted 200 Microsoft vulnerabilities fixed in June, including multiple Remote Desktop Client remote code execution flaws and 30 information disclosure vulnerabilities overall.

That broader context matters for patch planning. Admins should not only look for CVE-2026-42908 and CVE-2026-45639. They should deploy the full June security updates for affected Windows systems so related RDP and Remote Desktop Client fixes are applied together.

There is no public indication from the reviewed advisories that CVE-2026-42908 or CVE-2026-45639 were exploited in active attacks at release time. Even so, their network reachability and high confidentiality impact make them important patching targets for any environment that relies on Remote Desktop.

FAQ