CVE-2026-42908: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 2.0.1193.0
- Affected Products
- 21
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability affects the Windows Remote Desktop Protocol (RDP) service across multiple versions of Windows 10 and Windows 11. The flaw is reachable over the network without any authentication or user interaction, meaning an attacker only needs network access to the RDP port to trigger it. Successful exploitation allows the attacker to read memory contents from the affected host, disclosing sensitive information. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built Windows-based container images running affected OS versions.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency; routing to the appropriate team inbox within a customer org is handled automatically based on policy configuration.
AvailableA patched-image rebuild at each of the applicable fix versions (2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, and the corresponding Windows 10/11 build versions) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the target host's RDP service over the network; no local or physical access is required.
- AuthenticationNot required
No credentials or account of any privilege level are needed to trigger the out-of-bounds read.
- Victim interactionNot required
No action from any user on the target system is required; the attacker initiates the exploit entirely without victim participation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- An attacker reads arbitrary memory contents from the RDP service process, which may include session tokens, credentials, or other in-memory data.
- Sensitive configuration data or cryptographic material held in the service's memory space is exposed to an unauthenticated remote party.
- The disclosure is limited to confidentiality; the vulnerability does not grant write access to memory or the ability to crash the service based on the CVSS impact tokens.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42908 is active across customer registry and pipeline scans, with findings surfaced within minutes of CVE publication. For environments running affected Windows 10 or Windows 11 base images, a patched-image rebuild at the appropriate fix version is available once the upstream package is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, executes a regression test run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual review, the finding is routed to the designated team inbox with full CVSS context and fix-version details attached.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows App Client for Windows Desktop< 2.0.1193.0 (from 1.00)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C