CVE-2026-42992 – Remote Desktop Client Remote Code Execution Vulnerability

CVE-2026-42992 is a Remote Desktop Client Remote Code Execution vulnerability caused by a heap-based buffer overflow (CWE-122). The flaw affects the Remote Desktop Client and allows an unauthorized attacker to execute code over a network. Exploitation occurs when a victim connects to an attacker-controlled Remote Desktop Server, which can send specially crafted data that triggers memory corruption on the client system. While exploitation is considered less likely due to the high attack complexity, successful attacks could result in full compromise of the affected device.

CVSS Score: 7.5
SEVERITY: Critical
THREAT:
This vulnerability allows code execution through a trusted remote access technology. An attacker who controls a Remote Desktop Server could exploit the flaw when a user initiates a connection. Successful exploitation may enable malware installation, credential theft, unauthorized access to sensitive information, or further movement within the environment.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow within the Remote Desktop Client. Improper handling of memory can allow specially crafted responses from a malicious Remote Desktop Server to corrupt memory structures on the client system. If exploitation succeeds, arbitrary code may execute in the context of the vulnerable application. The vulnerability has High impacts on confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected Microsoft Product: Remote Desktop Client
Affected software includes:
Windows 10 Version 1607, 1809, 21H2, and 22H2
Windows 11 Version 23H2, 24H2, 25H2, and 26H1
Windows Server 2016, 2019, 2022, and 2025
Windows Server Core installations for supported server versions
The attack vector is Network, with High attack complexity, No privileges required, and User interaction required. An attacker must control a Remote Desktop Server and convince a victim to connect using a vulnerable Remote Desktop Client.

BUSINESS IMPACT:
Remote Desktop is widely used for administration, remote support, and hybrid work environments. A successful attack could compromise workstations or servers, expose sensitive business information, deploy malware, and provide attackers with an entry point into the corporate network. Systems used by privileged users may face the greatest risk due to their elevated access levels.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical and affects a broad range of Windows client and server platforms. Although exploitation requires user interaction and an attacker-controlled Remote Desktop Server, the potential for remote code execution makes prompt deployment of the security update important. Organizations should prioritize systems that regularly initiate Remote Desktop connections.