Description
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑based buffer overflow in the Remote Desktop Client allows an attacker without prior authorization to execute arbitrary code when the client processes data from a remote host. This vulnerability can be abused to take full control of the affected system, bypassing normal execution controls and potentially allowing the attacker to install malware, exfiltrate data, or pivot to other hosts. The flaw corresponds to CWE‑416, a use‑after‑free error that can lead to arbitrary code execution.

Affected Systems

Microsoft Windows Server 2016, Microsoft Windows Server 2016 (Server Core installation), Microsoft Windows Server 2019, Microsoft Windows Server 2019 (Server Core installation), Microsoft Windows Server 2022, Microsoft Windows Server 2025, and Microsoft Windows Server 2025 (Server Core installation) are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but no exploit probability data is available from EPSS, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a network‑based Remote Desktop session; the description suggests that no credentials are required to trigger the overflow, implying that any host reachable over RDP can potentially be exploited. Once exploited, the attacker achieves remote code execution with the privileges of the RDP session or, if the vulnerability allows, escalates privileges further on the host.

Generated by OpenCVE AI on June 9, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Microsoft patch, which can be downloaded from the MSRC update guide for CVE-2026-47654
  • If Remote Desktop is not required, disable the RDP service to remove the attack surface
  • Limit RDP access to trusted IP addresses and enforce strong authentication, ensuring that only authorized administrators can initiate a Remote Desktop session

Generated by OpenCVE AI on June 9, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Title Remote Desktop Client Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Weaknesses CWE-416
CPEs cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C'}

Subscriptions

Microsoft Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:49.021Z

Reserved: 2026-05-19T20:12:27.071Z

Link: CVE-2026-47654

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:36.933

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses