CVE-2026-44799 – Remote Desktop Client Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in the Windows Remote Desktop Client could allow an attacker to execute arbitrary code on a victim system. The vulnerability can be triggered when a user connects to a malicious Remote Desktop server controlled by an attacker. Although exploitation requires user interaction and has a high attack complexity rating, successful exploitation could result in complete compromise of the affected system, including loss of confidentiality, integrity, and availability.

CVSS Score: 7.5
SEVERITY: Critical
THREAT:
This vulnerability presents a significant risk because it can lead to remote code execution on systems using the vulnerable Remote Desktop Client. An attacker who controls a malicious Remote Desktop server could execute code on a victim machine when a connection is established. Successful exploitation could allow malware deployment, credential theft, data access, or full system compromise.

EXPLOITS:
Microsoft reports publicly disclosed: No and exploited: No. Exploit Code Maturity is listed as Unproven, indicating that confirmed exploit code is not identified in the provided data. Microsoft rates exploitation as less likely due to the additional preparation required to successfully exploit the vulnerability.

TECHNICAL SUMMARY:
The vulnerability is classified as CWE-122: Heap-based Buffer Overflow. A flaw in the Remote Desktop Client’s handling of data can result in memory corruption conditions when processing malicious content supplied by a Remote Desktop server. According to Microsoft, an attacker with control of a Remote Desktop Server could trigger remote code execution when a victim connects using a vulnerable client.
The attack complexity is rated High, meaning the attacker must perform additional actions or establish specific environmental conditions before successful exploitation is possible. Despite these requirements, successful exploitation could provide code execution capabilities within the security context of the affected user.

EXPLOITABILITY:
Affected software includes Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
Exploitation requires:
A malicious or compromised Remote Desktop Server controlled by the attacker.
A victim using a vulnerable Remote Desktop Client.
User interaction in the form of connecting to the attacker-controlled server.
No privileges are required prior to exploitation.

BUSINESS IMPACT:
Organizations frequently rely on Remote Desktop for administration, support, remote work, and third-party access. If a user connects to a malicious Remote Desktop endpoint, the vulnerability could enable execution of attacker-controlled code, leading to malware infections, ransomware deployment, credential theft, unauthorized access to sensitive data, and broader network compromise. Because Remote Desktop is widely used in enterprise environments, exploitation could have serious operational and security consequences.

WORKAROUND:
Microsoft lists no mitigations and no workarounds for this vulnerability. Applying the security update is the recommended remediation.

URGENCY:
This vulnerability should be deployed urgently because it is rated Critical and enables Remote Code Execution, one of the most severe classes of vulnerabilities. Although Microsoft currently assesses exploitation as less likely and there is no known active exploitation, successful attacks could result in complete system compromise. Organizations that rely heavily on Remote Desktop connectivity should prioritize remediation to reduce exposure to malicious or compromised Remote Desktop servers.