Windows systems are impacted by two new Remote Desktop Protocol (RDP) information disclosure vulnerabilities, CVE-2026-42908 and CVE-2026-45639. Both issues were resolved in Microsoft’s security updates released on June 9, 2026.
Both flaws stem from out-of-bounds reads in the RDP stack and are rated Important, with a CVSS v3 base score of 7.5.
Windows Remote Desktop Protocol Vulnerabilities
Microsoft describes CVE-2026-42908 and CVE-2026-45639 as information disclosure vulnerabilities in Windows Remote Desktop Protocol caused by an out-of-bounds read condition.
An unauthenticated attacker can exploit these bugs remotely over the network without any user interaction, which is reflected in the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Although both issues are “only” information disclosure, they expose sensitive memory contents that can be chained with other vulnerabilities to enable more impactful attacks, such as remote code execution or sandbox escape.
Microsoft currently assesses exploitation as “Less Likely,” and there is no public exploit or evidence of in-the-wild abuse at the time of release.
According to Microsoft’s advisory, successful exploitation of CVE-2026-42908 can reveal local memory addresses, significantly weakening modern exploit mitigations such as ASLR.
For CVE-2026-45639, an attacker may be able to read portions of process memory, potentially leaking credentials, session tokens, or protocol state data depending on what resides in the targeted memory region.
The bugs affect a broad set of Windows client and server releases where RDP is available, including Windows 10 (21H2, 22H2, 1607, 1809), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, as well as the Remote Desktop client/Windows App client for Windows Desktop.
All impacted products receive patches as part of the June 9, 2026, Patch Tuesday rollout.
Both CVEs are associated with CWE-125, Out-of-bounds Read, indicating that the vulnerable RDP component reads data past the bounds of an allocated buffer.
In practice, this means crafted RDP traffic can cause the service to return data from adjacent memory regions instead of only the expected protocol data.
Because the vulnerabilities are reachable pre-authentication over the network, they raise particular concern for internet-exposed RDP endpoints and multi-tenant environments where one tenant might attempt cross-tenant information leakage via shared infrastructure.
While there is no integrity or availability impact, the high confidentiality impact makes these bugs valuable for attackers building reliable exploit chains.
Microsoft has shipped official fixes, and the recommended remediation is to apply the June 9, 2026 security updates or the related cumulative/rollup packages for each affected Windows version and RDP client build.
Administrators should prioritize systems that expose RDP over the internet and critical backend servers where memory disclosures could aid lateral movement or privilege escalation.
As a general hardening, organizations should restrict RDP access behind VPNs or bastion hosts, enforce strong authentication, and monitor for unusual RDP connection patterns. At the same time, the community continues to analyze these patches for potential exploit primitives.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
