Microsoft Patches Five Windows RDP Flaws That Can Expose Sensitive Memory


Microsoft has fixed five Windows Remote Desktop Protocol information-disclosure vulnerabilities that could expose sensitive data from memory. The company released the patches on July 14, 2026, as part of its July 2026 security updates.

All five vulnerabilities carry a CVSS score of 6.5 and an Important severity rating from Microsoft. They affect the confidentiality of data but are not classified as remote code-execution vulnerabilities.

Four flaws require user interaction, such as persuading a victim to connect to a malicious RDP server. The fifth can be exploited without user interaction, but the attacker must already have low-level authorized access to the vulnerable RDP service.

Five RDP Information-Disclosure Vulnerabilities

The vulnerabilities result from different memory-handling errors in Windows RDP. These include buffer over-read, out-of-bounds read, uninitialized resource use and an off-by-one error.

CVEMemory-safety weaknessPrivileges requiredUser interactionMicrosoft assessment
CVE-2026-50445Buffer over-readNoneRequiredExploitation less likely
CVE-2026-57979Out-of-bounds readNoneRequiredExploitation less likely
CVE-2026-55003Use of uninitialized resourceNoneRequiredExploitation unlikely
CVE-2026-50497Off-by-one error and use of uninitialized resourceNoneRequiredExploitation unlikely
CVE-2026-57982Use of uninitialized resourceLow privilegesNot requiredExploitation less likely

Each flaw has a high confidentiality impact under Microsoft’s CVSS assessment. None of the five affects integrity or availability directly, according to the published vectors.

How the RDP Memory Flaws Can Be Exploited

CVE-2026-50445 involves a buffer over-read, while CVE-2026-57979 is an out-of-bounds read vulnerability. Both can cause the RDP implementation to read beyond the intended memory boundary.

CVE-2026-55003 involves the use of an uninitialized resource. CVE-2026-50497 combines an off-by-one error with uninitialized resource use. In both cases, memory that was not properly prepared could contain residual information.

These four vulnerabilities have the CVSS vector AV:N/AC:L/PR:N/UI:R. An attacker needs network access and no existing privileges, but exploitation depends on a user performing an action. In an RDP context, this can involve directing the victim to connect to an attacker-controlled remote system.

One Vulnerability Requires an Authorized Account

CVE-2026-57982 has a different attack path. It does not require user interaction, but the attacker must have low-level privileges and authorized network access to the RDP service.

This distinction matters for risk assessment. CVE-2026-57982 is not an unauthenticated, no-click vulnerability against any internet-accessible RDP server. An attacker must first obtain or possess an account with limited access.

The flaw can still matter in compromised enterprise environments. An attacker who has acquired a basic account may attempt to use the vulnerability as part of further reconnaissance or lateral movement.

What Information Could Be Exposed?

Microsoft describes all five flaws as information-disclosure vulnerabilities. Successful exploitation could allow an attacker to read memory that the RDP component should not have made accessible.

The disclosed records do not specify exactly what information would appear in the affected memory. The exposed contents would depend on the vulnerable process, the system state and the data handled before exploitation.

Administrators should therefore avoid assuming that every successful attack would reveal passwords or session tokens. The confirmed impact is unauthorized disclosure of memory contents, not the guaranteed recovery of a particular credential or secret.

Affected Windows Versions

The affected-product lists span supported Windows client and server releases. The precise list differs slightly between CVEs, so administrators should check each vulnerability against their deployed editions and builds.

Product familyVersions included in Microsoft records
Windows 10Version 1607, Version 1809, Version 21H2 and Version 22H2
Windows 11Version 24H2, Version 25H2 and Version 26H1
Windows ServerWindows Server 2012, 2012 R2, 2016, 2019, 2022 and 2025, depending on the CVE
Server CoreAffected Server Core installations listed for the applicable Windows Server release

Organizations should not limit patching to systems configured as RDP servers. Four vulnerabilities involve user interaction, so Windows endpoints used to initiate Remote Desktop connections also need the July updates.

Older Windows Server systems may require the applicable servicing entitlement or Extended Security Updates. Administrators should verify that update-management tools report the correct cumulative update and operating system build after deployment.

Microsoft Reports No Active Exploitation

At release, Microsoft marked all five vulnerabilities as not publicly disclosed and not exploited. The company assessed CVE-2026-55003 and CVE-2026-50497 as exploitation unlikely.

Microsoft classified CVE-2026-50445, CVE-2026-57979 and CVE-2026-57982 as exploitation less likely. These ratings describe Microsoft’s expected probability of exploitation and do not mean that affected systems can safely remain unpatched.

  • No active exploitation was reported by Microsoft at release.
  • Microsoft listed no prior public disclosure for the five vulnerabilities.
  • All five flaws have network-based attack vectors.
  • Every flaw can cause high-impact information disclosure under the CVSS vectors.

Install the July 2026 Windows Updates

The fixes are included in Microsoft’s July 2026 Security Update Guide release. Organizations should deploy the cumulative update or monthly rollup provided for each supported Windows version.

Updates can be distributed through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch or another enterprise patch-management platform. Administrators can also obtain standalone packages from the Microsoft Update Catalog.

  1. Inventory Windows systems that host or initiate RDP sessions.
  2. Identify the operating system version, edition and current build number.
  3. Approve the July 2026 cumulative update or monthly rollup for each product.
  4. Test the updates on representative RDP clients, session hosts and gateways.
  5. Deploy the patches to internet-facing and externally accessible systems first.
  6. Restart systems when required and confirm that the new build is installed.
  7. Run a follow-up vulnerability scan to find missed or failed deployments.

Reduce RDP Exposure While Patching

Organizations should avoid exposing TCP port 3389 directly to the public internet. Where remote access is necessary, administrators can place RDP behind an approved VPN or Remote Desktop Gateway and restrict access with firewall rules.

Microsoft recommends enabling Network Level Authentication for most Remote Desktop environments. NLA requires users to authenticate before the system establishes a full remote session.

NLA and network restrictions provide additional protection, but they do not replace the security updates. CVE-2026-57982 already assumes that the attacker has a low-privileged authorized account, while the other flaws can involve a vulnerable RDP client connecting outward.

  • Permit RDP only from approved network segments and administrative devices.
  • Use multifactor authentication through a supported gateway or identity control.
  • Keep NLA enabled wherever compatibility permits.
  • Limit Remote Desktop access to users who need it for their work.
  • Block outbound RDP connections to untrusted destinations where practical.
  • Monitor successful and failed RDP logins, account changes and unusual connection patterns.

Why Both RDP Clients and Servers Need Attention

Security teams often focus on public RDP listeners because attackers frequently target exposed remote-access services. That remains important, especially for CVE-2026-57982 and other vulnerabilities that affect the service side of a connection.

However, four of the five July flaws require a user action. Organizations must also consider workstations, administrator jump systems and support computers that initiate RDP sessions.

Users should connect only to known systems and approved addresses. Unexpected RDP files, connection instructions or requests to access unfamiliar remote servers should be treated with caution.

FAQ

Which Windows RDP vulnerabilities did Microsoft fix in July 2026?

Microsoft fixed CVE-2026-50445, CVE-2026-57982, CVE-2026-55003, CVE-2026-50497 and CVE-2026-57979. All five are information-disclosure vulnerabilities rated Important.

Can the RDP vulnerabilities allow remote code execution?

Microsoft classifies the five vulnerabilities as information-disclosure flaws, not remote code-execution vulnerabilities. They can expose memory contents but are not documented as allowing an attacker to execute code directly.

Do the Windows RDP flaws require user interaction?

CVE-2026-50445, CVE-2026-55003, CVE-2026-50497 and CVE-2026-57979 require user interaction. CVE-2026-57982 does not, but it requires the attacker to have low-level authorized access.

Which Windows versions are affected?

The affected records include supported Windows 10, Windows 11 and Windows Server releases. The exact product list varies by CVE, so administrators should compare each Microsoft record with their deployed versions.

Are the RDP vulnerabilities being actively exploited?

Microsoft marked all five vulnerabilities as not exploited and not publicly disclosed when it released the July 2026 updates. The company assessed exploitation as less likely or unlikely.

How can administrators fix the RDP vulnerabilities?

Administrators should install the July 2026 cumulative update or monthly rollup for every affected Windows client and server. They should verify the resulting build numbers after deployment.

Does Network Level Authentication prevent these attacks?

Network Level Authentication reduces some RDP exposure by requiring early authentication, but it does not replace the patches. One flaw assumes the attacker already has an authorized account, while four others involve user interaction on an RDP client.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages