CVE-2026-42985 – Remote Desktop Client Remote Code Execution Vulnerability

CVE-2026-42985 is a Remote Desktop Client Remote Code Execution vulnerability associated with CWE-416: Use After Free. The provided executive summary describes the issue as a heap-based buffer overflow that allows an unauthorized attacker to execute code over a network. The vulnerability affects the Remote Desktop Client and can be triggered when a user connects to an attacker-controlled Remote Desktop Server.

CVSS Score: 8.8
SEVERITY: Critical
THREAT:
This vulnerability allows an attacker to leverage a malicious Remote Desktop Server to target users of the Remote Desktop Client. Successful exploitation could result in arbitrary code execution on the victim’s device, potentially leading to malware installation, credential theft, unauthorized access, and further compromise of the environment.

EXPLOITS:
The exploitability assessment is Exploitation More Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is associated with CWE-416: Use After Free, a memory corruption flaw that occurs when software accesses memory after it has been released. Microsoft indicates that an attacker controlling a Remote Desktop Server can trigger the vulnerability when a victim connects using a vulnerable Remote Desktop Client. Successful exploitation may allow arbitrary code execution within the context of the user running the client. The vulnerability impacts confidentiality, integrity, and availability, all rated High in the CVSS metrics.

EXPLOITABILITY:
Affected Microsoft Product: Remote Desktop Client
Affected software includes:
Windows 10 Version 1607, 1809, 21H2, and 22H2
Windows 11 Version 23H2, 24H2, 25H2, and 26H1
Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Server Core installations for affected server versions
The attack vector is Network, attack complexity is Low, privileges required are None, and User Interaction is Required. Exploitation requires a victim to connect to an attacker-controlled Remote Desktop Server.

BUSINESS IMPACT:
Remote Desktop remains a critical technology for administration, support, and remote workforce operations. Successful exploitation could provide attackers with access to sensitive corporate systems, enable ransomware deployment, facilitate credential theft, and establish an entry point into the broader network. Because the attack relies on a commonly used business tool, organizations face increased exposure if systems remain unpatched.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.8 and an exploitability assessment of Exploitation More Likely. The attack requires no privileges, has low attack complexity, and can result in remote code execution when users connect to malicious Remote Desktop Servers. Organizations should prioritize deployment of the security update, especially on systems that frequently initiate Remote Desktop connections.