CVE-2026-47654 – Remote Desktop Client Remote Code Execution Vulnerability

CVE-2026-47654 is a Remote Desktop Client Remote Code Execution vulnerability linked to CWE-416: Use After Free. The provided executive summary also describes a heap-based buffer overflow, so the exact weakness details are inconsistent in the source data. The vulnerability allows an unauthorized attacker controlling a Remote Desktop Server to trigger remote code execution when a victim connects using a vulnerable Remote Desktop Client.

CVSS Score: 7.5
SEVERITY: Critical
THREAT:
An attacker with control of a Remote Desktop Server could exploit this vulnerability when a victim connects with a vulnerable Remote Desktop Client. Successful exploitation could allow code execution on the client system, potentially leading to malware deployment, data theft, or unauthorized system access.

EXPLOITS:
The exploitability assessment is Exploitation Unlikely. The vulnerability is not publicly disclosed and not exploited according to the provided data. Exploit Code Maturity is listed as Unproven, and no public PoC is confirmed.

TECHNICAL SUMMARY:
The vulnerability is identified as CWE-416: Use After Free, a memory handling issue that can occur when software continues using memory after it has been released. The provided executive summary also references a heap-based buffer overflow, which conflicts with the listed weakness. Exploitation requires the attacker to win a race condition and control a Remote Desktop Server. When a victim connects, crafted server-side behavior could trigger memory corruption and allow remote code execution on the vulnerable client.

EXPLOITABILITY:
Affected Microsoft Product: Remote Desktop Client
Affected software includes Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, and their Server Core installations. The attack vector is Network, attack complexity is High, privileges required are None, and user interaction is Required. Exploitation requires a victim to connect to an attacker-controlled Remote Desktop Server.

BUSINESS IMPACT:
Remote Desktop is commonly used for administration, remote support, and operational access. A successful attack could compromise workstations or servers, expose sensitive data, enable malware execution, and give attackers a foothold inside the environment. Systems used by administrators may carry higher business risk because of their access to critical resources.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical and affects Remote Desktop Client behavior across multiple Windows Server versions. Even though exploitation is assessed as unlikely and requires a race condition, the potential outcome is remote code execution. Organizations should prioritize patching systems that use Remote Desktop connections, especially administrative and high-value systems.