Description
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap-based buffer overflow in the Microsoft Remote Desktop client. The overflow allows an attacker who can send crafted data over the Remote Desktop protocol to execute code on the target system. The flaw leads to arbitrary code execution, giving an attacker full control over the affected machine.

Affected Systems

Microsoft Remote Desktop client for Windows Desktop, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, and Windows Server 2022 and 2025, including Server Core installations are affected. The vulnerability exists in the client component across these Windows releases without a specified patch version in the description.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating high severity. The EPSS score is not published, so the current exploitation probability is uncertain; the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploits yet. Nonetheless, because an attacker could achieve remote code execution, the risk remains significant. The likely attack vector involves sending malicious RDP packets to an exposed Remote Desktop service, so an attacker with network access to the RDP port can exploit the flaw if the client is in use.

Generated by OpenCVE AI on June 9, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update that addresses CVE-2026-42913, as detailed at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42913.
  • Limit Remote Desktop access to known internal networks or specific IP ranges and enforce Network Level Authentication to restrict unauthenticated connections.
  • Configure Windows firewall or network perimeter devices to block or tightly restrict RDP traffic, and consider using Just‑In‑Time access or Azure AD Conditional Access to minimize exposure.

Generated by OpenCVE AI on June 9, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows App Client For Windows Desktop
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows App Client For Windows Desktop
Microsoft windows Server 2025 (server Core Installation)

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Title Remote Desktop Client Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft remote Desktop
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2022
Microsoft windows Server 2025
Weaknesses CWE-362
CWE-416
CPEs cpe:2.3:a:microsoft:remote_desktop:*:*:*:*:*:windows:*:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft remote Desktop
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2022
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Remote Desktop Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows App Client For Windows Desktop Windows Server 2022 Windows Server 2025 Windows Server 2025 (server Core Installation)
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T10:13:27.941Z

Reserved: 2026-04-30T22:35:54.969Z

Link: CVE-2026-42913

cve-icon Vulnrichment

Updated: 2026-06-10T10:13:22.827Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:11.447

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-42913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses