CVE-2026-50474 – Remote Desktop Client Remote Code Execution Vulnerability

CVSS 8.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“A trusted remote connection can become an attacker’s entry point when the client processes malicious data.”

A use-after-free vulnerability in the Remote Desktop Client allows an unauthorized attacker to execute code over a network. Exploitation requires user interaction but does not require attacker privileges. Successful exploitation could allow arbitrary code execution with serious consequences for the confidentiality, integrity, and availability of the affected system.

CVSS Score: 8.8

SEVERITY: Critical

THREAT:
This vulnerability affects the Windows Remote Desktop Client and could allow an attacker to execute malicious code when a user interacts with attacker-controlled remote content. A successful attack could compromise the endpoint, expose sensitive information, install malware, or provide a foothold for additional attacks.

EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as unlikely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the available information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free condition (CWE-416) in the Remote Desktop Client. The flaw occurs when the client accesses memory after it has already been released, creating memory corruption conditions that may allow arbitrary code execution. The CVSS v3.1 metrics identify a network attack vector, low attack complexity, no privileges required, and user interaction required. Successful exploitation has high impact on confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include supported editions of Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including affected Server Core installations. The exact user action or attack sequence required for exploitation is not confirmed in the available data.

BUSINESS IMPACT:
Successful exploitation could allow attackers to run malicious code on employee workstations or administrative systems using Remote Desktop Client. This could lead to credential theft, malware deployment, unauthorized access to business data, service disruption, and further movement through the enterprise network.

WORKAROUND:
No mitigations or workarounds are available.

URGENCY:
This vulnerability should be treated as a high priority because it is rated Critical with a CVSS v3.1 Base Score of 8.8. The flaw is network-based, has low attack complexity, requires no attacker privileges, and can result in arbitrary code execution once the required user interaction occurs.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.