HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42909Published Modified CNA microsoft

CVE-2026-42909: Remote Desktop Client Remote Code Execution Vulnerability

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
1.2.7214.0
Affected Products
22

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Microsoft Remote Desktop Client allows a remote, unauthenticated attacker to execute arbitrary code on the connecting client machine. The attack is reachable over the network but requires the victim to connect to a malicious or compromised RDP server, and exploitation is made more difficult by high attack complexity conditions such as memory layout requirements. Successful exploitation gives the attacker full code execution on the victim's machine, with access to confidential data, the ability to modify files and processes, and the ability to crash or take over the affected client. Patched-image rebuilds at the fix versions listed above are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-42909 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected Remote Desktop Client components. Coverage applies to all affected version ranges listed in the advisory.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency and escalation path. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Patched-image rebuilds at the fix versions (1.2.7214.0, 2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, and 10.0.14393.9234 and their per-product equivalents) become available on HarborGuard once upstream packages are published. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuilt image, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim's client over the network; specifically, the victim must connect to an attacker-controlled or compromised RDP server reachable from the victim's network.

  • AuthenticationNot required

    No authentication is required on the attacker's side; the attacker operates as an unauthenticated party hosting or controlling a malicious RDP server endpoint.

  • Victim interactionRequired

    The victim must actively initiate an RDP connection to the malicious server, making this a social-engineering or supply-chain-redirect scenario.

  • Attack complexityDetail

    Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as heap memory layout or timing conditions that the attacker cannot fully control.

Blast Radius

  • The attacker gains arbitrary code execution in the context of the user running the Remote Desktop Client on the connecting machine.
  • All data accessible to that user account, including stored credentials, session tokens, and local files, can be read or exfiltrated.
  • The attacker can modify files, install software, or alter running processes owned by the victim user.
  • The affected Remote Desktop Client process and any dependent services can be crashed or hijacked.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42909 is active across all connected registries and pipelines the moment the CVE enters upstream feeds. For environments running any of the affected Remote Desktop Client or Windows component versions, a patched-image rebuild targeting the fixed versions becomes available as soon as upstream packages are accessible. For customers who opt into auto-remediation, HarborGuard is capable of executing a full rebuild, running regression tests, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, customers should prioritize upgrading to the fixed versions promptly given the network-reachable, unauthenticated attack surface, even though high attack complexity reduces the likelihood of casual exploitation.

See how HarborGuard automates this

Fix available

1.2.7214.02.0.1193.06.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Remote Desktop client for Windows Desktop
    < 1.2.7214.0 (from 1.2.0.0)
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows App Client for Windows Desktop
    < 2.0.1193.0 (from 1.00)
  • Microsoft / Windows Server 2012
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 (Server Core installation)
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 R2
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2012 R2 (Server Core installation)
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References