CVE-2026-42985: Remote Desktop Client Remote Code Execution Vulnerability
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 1.2.7214.0
- Affected Products
- 22
HarborGuard Analysis
Synopsis
A heap-based buffer overflow in Microsoft Remote Desktop Client allows an unauthenticated attacker to reach the vulnerability over the network and execute arbitrary code on the affected system. Exploitation requires the victim to interact with a malicious server or specially crafted content, but no credentials are needed on the attacker side. Successful exploitation gives the attacker full code execution in the context of the connecting user. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection of CVE-2026-42985 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle Windows Remote Desktop Client components.
AvailableTriage is available using the CVSS v3.1 score of 8.8 (HIGH), weighted against each customer organization's compliance policy to determine priority and routed to the appropriate team inbox within that environment.
AvailablePatched-image rebuilds at the fix versions (1.2.7214.0, 2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, and 10.0.14393.9234) are available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected Remote Desktop Client over the network, meaning the client must be able to connect to an attacker-controlled server or resource reachable across the internet or internal network.
- AuthenticationNot required
No credentials or prior account access are needed on the attacker side; the attack targets the connecting client without any authentication requirement.
- Victim interactionRequired
The victim must initiate or be socially engineered into initiating a Remote Desktop connection to a malicious server, making user interaction a necessary step for exploitation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout luck, or other unpredictable environmental factors.
Blast Radius
- The attacker executes arbitrary code in the security context of the logged-in user on the connecting machine.
- Confidentiality impact is high: the attacker reads files, credentials, session tokens, and any data accessible to that user.
- Integrity impact is high: the attacker writes, modifies, or deletes files and data on the compromised host.
- Availability impact is high: the attacker crashes or fully disrupts the affected system or its services.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42985 activates within minutes of publication for all customer environments, covering images that include the Microsoft Remote Desktop Client. For environments running any affected version (Remote Desktop client for Windows Desktop below 1.2.7214.0, or Windows 10/11 builds below their respective fix versions), patched-image rebuilds at the corrected versions become available immediately after the fix is confirmed. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild at the patched version, runs a regression test suite against that image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the vulnerability flagged with its CVSS 8.8 HIGH score and routing to the configured security inbox for review.
Fix available
- Microsoft / Remote Desktop client for Windows Desktop< 1.2.7214.0 (from 1.2.0.0)
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows App Client for Windows Desktop< 2.0.1193.0 (from 1.00)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C