CVE-2026-42992: Remote Desktop Client Remote Code Execution Vulnerability
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 2.0.1193.0
- Affected Products
- 17
HarborGuard Analysis
Synopsis
Heap-based buffer overflow in Microsoft Remote Desktop Client allows a remote, unauthenticated attacker to execute arbitrary code on the victim's machine. The attack is delivered over the network but requires high complexity conditions and a user interaction step, derived from the CVSS vector (AV:N/AC:H/PR:N/UI:R). Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at the fix versions (including 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and 10.0.19045.7417) are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection of CVE-2026-42992 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image layer carrying an affected version of the Windows Remote Desktop Client is flagged automatically, without requiring manual configuration.
AvailableTriage is available with a CVSS 3.1 score of 7.5 (HIGH), and per-environment compliance policy weighting can elevate or suppress urgency based on each customer organization's own risk thresholds. Routed findings are delivered to the appropriate team inbox within each customer org based on ownership mappings configured in HarborGuard.
AvailablePatched-image rebuilds at the fix versions listed above become available in HarborGuard as soon as upstream packages are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Remote Desktop Client service over the network; the service must be exposed or the victim must connect to an attacker-controlled RDP endpoint.
- AuthenticationNot required
No credentials or existing account are needed; the attack can be launched by an unauthenticated party (PR:N).
- Victim interactionRequired
The victim must take an action, such as connecting to a malicious RDP server, making this dependent on a social-engineering or phishing step (UI:R).
- Attack complexityDetail
Exploitation requires meeting high-complexity preconditions such as precise timing, memory layout manipulation, or other environmental factors (AC:H), making reliable exploitation non-trivial.
Blast Radius
- A successful attacker reads all data accessible to the Remote Desktop Client process, including session credentials and files in scope at runtime (C:H).
- A successful attacker writes or modifies data on the victim's host, including files, registry entries, or in-memory state (I:H).
- A successful attacker crashes or fully disrupts the affected Remote Desktop Client process and dependent services (A:H).
- Because the overflow enables arbitrary code execution in the context of the client process, the attacker gains persistent foothold potential on the victim's workstation or server.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image carrying an affected Windows Remote Desktop Client version, covering all customer registries and pipelines including custom-built images. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version, runs a regression test, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, the rebuilt image and test results are staged and routed to the designated approver inbox. Because the CVSS exploit maturity is rated Unproven (E:U) and remediation is Official Fix (RL:O), teams should prioritize patching over compensating controls, though network-policy rules limiting outbound RDP connections from container workloads can reduce exposure while the patch is rolled out.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows App Client for Windows Desktop< 2.0.1193.0 (from 1.00)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C