Microsoft Patches Five Windows RDP Flaws That Can Expose Sensitive Memory
Microsoft has fixed five Windows Remote Desktop Protocol information-disclosure vulnerabilities that could expose sensitive data from memory. The company released the patches on July 14, 2026, as part of its July 2026 security updates.
All five vulnerabilities carry a CVSS score of 6.5 and an Important severity rating from Microsoft. They affect the confidentiality of data but are not classified as remote code-execution vulnerabilities.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Four flaws require user interaction, such as persuading a victim to connect to a malicious RDP server. The fifth can be exploited without user interaction, but the attacker must already have low-level authorized access to the vulnerable RDP service.
Five RDP Information-Disclosure Vulnerabilities
The vulnerabilities result from different memory-handling errors in Windows RDP. These include buffer over-read, out-of-bounds read, uninitialized resource use and an off-by-one error.
| CVE | Memory-safety weakness | Privileges required | User interaction | Microsoft assessment |
|---|---|---|---|---|
| CVE-2026-50445 | Buffer over-read | None | Required | Exploitation less likely |
| CVE-2026-57979 | Out-of-bounds read | None | Required | Exploitation less likely |
| CVE-2026-55003 | Use of uninitialized resource | None | Required | Exploitation unlikely |
| CVE-2026-50497 | Off-by-one error and use of uninitialized resource | None | Required | Exploitation unlikely |
| CVE-2026-57982 | Use of uninitialized resource | Low privileges | Not required | Exploitation less likely |
Each flaw has a high confidentiality impact under Microsoft’s CVSS assessment. None of the five affects integrity or availability directly, according to the published vectors.
How the RDP Memory Flaws Can Be Exploited
CVE-2026-50445 involves a buffer over-read, while CVE-2026-57979 is an out-of-bounds read vulnerability. Both can cause the RDP implementation to read beyond the intended memory boundary.
CVE-2026-55003 involves the use of an uninitialized resource. CVE-2026-50497 combines an off-by-one error with uninitialized resource use. In both cases, memory that was not properly prepared could contain residual information.
These four vulnerabilities have the CVSS vector AV:N/AC:L/PR:N/UI:R. An attacker needs network access and no existing privileges, but exploitation depends on a user performing an action. In an RDP context, this can involve directing the victim to connect to an attacker-controlled remote system.
One Vulnerability Requires an Authorized Account
CVE-2026-57982 has a different attack path. It does not require user interaction, but the attacker must have low-level privileges and authorized network access to the RDP service.
This distinction matters for risk assessment. CVE-2026-57982 is not an unauthenticated, no-click vulnerability against any internet-accessible RDP server. An attacker must first obtain or possess an account with limited access.
The flaw can still matter in compromised enterprise environments. An attacker who has acquired a basic account may attempt to use the vulnerability as part of further reconnaissance or lateral movement.
What Information Could Be Exposed?
Microsoft describes all five flaws as information-disclosure vulnerabilities. Successful exploitation could allow an attacker to read memory that the RDP component should not have made accessible.
The disclosed records do not specify exactly what information would appear in the affected memory. The exposed contents would depend on the vulnerable process, the system state and the data handled before exploitation.
Administrators should therefore avoid assuming that every successful attack would reveal passwords or session tokens. The confirmed impact is unauthorized disclosure of memory contents, not the guaranteed recovery of a particular credential or secret.
Affected Windows Versions
The affected-product lists span supported Windows client and server releases. The precise list differs slightly between CVEs, so administrators should check each vulnerability against their deployed editions and builds.
| Product family | Versions included in Microsoft records |
|---|---|
| Windows 10 | Version 1607, Version 1809, Version 21H2 and Version 22H2 |
| Windows 11 | Version 24H2, Version 25H2 and Version 26H1 |
| Windows Server | Windows Server 2012, 2012 R2, 2016, 2019, 2022 and 2025, depending on the CVE |
| Server Core | Affected Server Core installations listed for the applicable Windows Server release |
Organizations should not limit patching to systems configured as RDP servers. Four vulnerabilities involve user interaction, so Windows endpoints used to initiate Remote Desktop connections also need the July updates.
Older Windows Server systems may require the applicable servicing entitlement or Extended Security Updates. Administrators should verify that update-management tools report the correct cumulative update and operating system build after deployment.
Microsoft Reports No Active Exploitation
At release, Microsoft marked all five vulnerabilities as not publicly disclosed and not exploited. The company assessed CVE-2026-55003 and CVE-2026-50497 as exploitation unlikely.
Microsoft classified CVE-2026-50445, CVE-2026-57979 and CVE-2026-57982 as exploitation less likely. These ratings describe Microsoft’s expected probability of exploitation and do not mean that affected systems can safely remain unpatched.
- No active exploitation was reported by Microsoft at release.
- Microsoft listed no prior public disclosure for the five vulnerabilities.
- All five flaws have network-based attack vectors.
- Every flaw can cause high-impact information disclosure under the CVSS vectors.
Install the July 2026 Windows Updates
The fixes are included in Microsoft’s July 2026 Security Update Guide release. Organizations should deploy the cumulative update or monthly rollup provided for each supported Windows version.
Updates can be distributed through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Windows Autopatch or another enterprise patch-management platform. Administrators can also obtain standalone packages from the Microsoft Update Catalog.
- Inventory Windows systems that host or initiate RDP sessions.
- Identify the operating system version, edition and current build number.
- Approve the July 2026 cumulative update or monthly rollup for each product.
- Test the updates on representative RDP clients, session hosts and gateways.
- Deploy the patches to internet-facing and externally accessible systems first.
- Restart systems when required and confirm that the new build is installed.
- Run a follow-up vulnerability scan to find missed or failed deployments.
Reduce RDP Exposure While Patching
Organizations should avoid exposing TCP port 3389 directly to the public internet. Where remote access is necessary, administrators can place RDP behind an approved VPN or Remote Desktop Gateway and restrict access with firewall rules.
Microsoft recommends enabling Network Level Authentication for most Remote Desktop environments. NLA requires users to authenticate before the system establishes a full remote session.
NLA and network restrictions provide additional protection, but they do not replace the security updates. CVE-2026-57982 already assumes that the attacker has a low-privileged authorized account, while the other flaws can involve a vulnerable RDP client connecting outward.
- Permit RDP only from approved network segments and administrative devices.
- Use multifactor authentication through a supported gateway or identity control.
- Keep NLA enabled wherever compatibility permits.
- Limit Remote Desktop access to users who need it for their work.
- Block outbound RDP connections to untrusted destinations where practical.
- Monitor successful and failed RDP logins, account changes and unusual connection patterns.
Why Both RDP Clients and Servers Need Attention
Security teams often focus on public RDP listeners because attackers frequently target exposed remote-access services. That remains important, especially for CVE-2026-57982 and other vulnerabilities that affect the service side of a connection.
However, four of the five July flaws require a user action. Organizations must also consider workstations, administrator jump systems and support computers that initiate RDP sessions.
Users should connect only to known systems and approved addresses. Unexpected RDP files, connection instructions or requests to access unfamiliar remote servers should be treated with caution.
FAQ
Microsoft fixed CVE-2026-50445, CVE-2026-57982, CVE-2026-55003, CVE-2026-50497 and CVE-2026-57979. All five are information-disclosure vulnerabilities rated Important.
Microsoft classifies the five vulnerabilities as information-disclosure flaws, not remote code-execution vulnerabilities. They can expose memory contents but are not documented as allowing an attacker to execute code directly.
CVE-2026-50445, CVE-2026-55003, CVE-2026-50497 and CVE-2026-57979 require user interaction. CVE-2026-57982 does not, but it requires the attacker to have low-level authorized access.
The affected records include supported Windows 10, Windows 11 and Windows Server releases. The exact product list varies by CVE, so administrators should compare each Microsoft record with their deployed versions.
Microsoft marked all five vulnerabilities as not exploited and not publicly disclosed when it released the July 2026 updates. The company assessed exploitation as less likely or unlikely.
Administrators should install the July 2026 cumulative update or monthly rollup for every affected Windows client and server. They should verify the resulting build numbers after deployment.
Network Level Authentication reduces some RDP exposure by requiring early authentication, but it does not replace the patches. One flaw assumes the attacker already has an authorized account, while four others involve user interaction on an RDP client.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages