How is CVE-2026-44799 exploited?

Network reachability (required): The attacker must reach the victim over the network, specifically by operating or controlling an RDP server that the victim's client connects to. Authentication (not-required): No authentication is required; the attacker does not need any account on the target system before exploitation. Victim interaction (required): The victim must actively initiate an RDP connection to a malicious or compromised server, making social engineering or infrastructure compromise a prerequisite. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must account for specific memory-layout or heap-state conditions that are not reliably reproducible without careful setup.

What is the impact of CVE-2026-44799?

Executes arbitrary code in the security context of the logged-in user on the connecting client machine. Reads files, credentials, and session tokens accessible to that user account. Writes or modifies files and data accessible to that user, including persisted credentials or configuration files. Crashes or destabilizes the Remote Desktop Client process, disrupting the user's session and any dependent workflows.

Back to search

HIGHCVE-2026-44799Published 2026-06-09Modified 2026-06-10CNA microsoft

CVE-2026-44799: Remote Desktop Client Remote Code Execution Vulnerability

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 1.2.7214.0
Affected Products: 22

HarborGuard Analysis

Synopsis

A heap-based buffer overflow in Microsoft Remote Desktop Client allows a remote, unauthenticated attacker to execute arbitrary code on the connecting client machine. The vulnerability is reachable over the network but requires the victim to connect to a malicious or compromised RDP server, and exploitation involves non-trivial memory-layout conditions. Successful exploitation gives the attacker full code execution in the context of the connecting user, enabling data theft, tampering, and service disruption. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including internally built images that bundle the affected Remote Desktop Client component. Any image layer containing a vulnerable version of the affected product is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weighs it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules and policy thresholds.

Available

Patch

A patched-image rebuild targeting the applicable fix versions (1.2.7214.0, 2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network, specifically by operating or controlling an RDP server that the victim's client connects to.
AuthenticationNot required
No authentication is required; the attacker does not need any account on the target system before exploitation.
Victim interactionRequired
The victim must actively initiate an RDP connection to a malicious or compromised server, making social engineering or infrastructure compromise a prerequisite.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for specific memory-layout or heap-state conditions that are not reliably reproducible without careful setup.

Blast Radius

Executes arbitrary code in the security context of the logged-in user on the connecting client machine.
Reads files, credentials, and session tokens accessible to that user account.
Writes or modifies files and data accessible to that user, including persisted credentials or configuration files.
Crashes or destabilizes the Remote Desktop Client process, disrupting the user's session and any dependent workflows.

How HarborGuard Handles This

Available on HarborGuard: images containing affected versions of Microsoft Remote Desktop Client are matched against this CVE within minutes of ingestion. Where compliance policy permits, a rebuilt image at the appropriate fix version is prepared automatically. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression test run, and opens a pull request against affected workloads, with a median time from publication to merged patch PR of roughly 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with fix-version guidance and CVSS context so engineering teams can prioritize and act manually. Because this vulnerability requires victim-initiated outbound RDP connections, compensating controls worth considering include network policy rules that restrict which hosts container workloads may reach on TCP 3389 and egress filtering to block connections to untrusted RDP endpoints until patched images are deployed.

See how HarborGuard automates this

Fix available

1.2.7214.02.0.1193.06.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269

Patch commits

Remote Desktop Client Remote Code Execution Vulnerability

Affected packages

Microsoft / Remote Desktop client for Windows Desktop
< 1.2.7214.0 (from 1.2.0.0)
Microsoft / Windows 10 Version 1607
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows 10 Version 1809
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows 10 Version 21H2
< 10.0.19044.7417 (from 10.0.19044.0)
Microsoft / Windows 10 Version 22H2
< 10.0.19045.7417 (from 10.0.19045.0)
Microsoft / Windows 11 version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 23H2
< 10.0.22631.7219 (from 10.0.22631.0)
Microsoft / Windows 11 Version 24H2
< 10.0.26100.8655 (from 10.0.26100.0)
Microsoft / Windows 11 Version 25H2
< 10.0.26200.8655 (from 10.0.26200.0)
Microsoft / Windows 11 version 26H1
< 10.0.28000.2269 (from 10.0.28000.0)
Microsoft / Windows App Client for Windows Desktop
< 2.0.1193.0 (from 1.00)
Microsoft / Windows Server 2012
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 (Server Core installation)
< 6.2.9200.26132 (from 6.2.9200.0)
Microsoft / Windows Server 2012 R2
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2012 R2 (Server Core installation)
< 6.3.9600.23228 (from 6.3.9600.0)
Microsoft / Windows Server 2016
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2016 (Server Core installation)
< 10.0.14393.9234 (from 10.0.14393.0)
Microsoft / Windows Server 2019
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2019 (Server Core installation)
< 10.0.17763.8880 (from 10.0.17763.0)
Microsoft / Windows Server 2022
< 10.0.20348.5256 (from 10.0.20348.0)
Microsoft / Windows Server 2025
< 10.0.26100.32995 (from 10.0.26100.0)
Microsoft / Windows Server 2025 (Server Core installation)
< 10.0.26100.32995 (from 10.0.26100.0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Remote Desktop Client Remote Code Execution Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available