A heap-based buffer overflow exists in the Remote Desktop Client component of several Microsoft Windows and Windows Server operating systems. The flaw permits an unauthorized attacker who can reach the target over a network to execute arbitrary code. The vulnerability is a classic CWE‑416 error, where unchecked heap memory leads to overflow and code execution, potentially allowing an attacker to run code with the privileges of the user session that established the Remote Desktop connection.

Microsoft Windows 10 versions 1607, 1809, 21H2 and 22H2; Microsoft Windows 11 versions 23H2, 24H2, 25H2 and 26H1; Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022 and 2025, including Server Core deployments. These systems are exposed through the Remote Desktop service and are therefore at risk when the client or service component is reachable over the network.

The CVSS score is 8.8, indicating high severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed as a known exploited vulnerability in the CISA KEV catalog. The most likely attack vector is a Remote Desktop Protocol session; this is inferred from the fact that the buffer overflow occurs during RDP operations. Based on the description, it is inferred that an attacker does not need authentication or user credentials to exploit the vulnerability, only to initiate an RDP session with the affected host.