CVE-2026-44801: Remote Desktop Client Remote Code Execution Vulnerability
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.2.7214.0
- Affected Products
- 22
HarborGuard Analysis
Synopsis
A heap-based buffer overflow exists in Microsoft Remote Desktop Client for Windows that is reachable over the network without any prior authentication. Exploitation requires the victim to take an action, such as connecting to a malicious RDP server, and the attack involves complex conditions the attacker must satisfy. Successful exploitation gives the attacker full remote code execution on the victim's machine. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the Remote Desktop Client or affected Windows base layers.
AvailableHarborGuard is capable of scoring this CVE at 7.5 HIGH using the CVSS v3.1 vector and weighting it against each environment's compliance policy to surface it in the right team inbox, prioritizing workloads where the affected component is confirmed present.
AvailablePatched-image rebuilds at the fix versions (1.2.7214.0, 2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234) are available on HarborGuard for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's Remote Desktop Client over the network, typically by operating or spoofing a malicious RDP server that the client connects to.
- AuthenticationNot required
No credentials or prior account access are required; the attacker exploits the client before any authentication handshake completes.
- Victim interactionRequired
The victim must initiate or be socially engineered into initiating an RDP connection to an attacker-controlled server.
- Attack complexityDetail
Attack complexity is high, meaning the attacker must satisfy specific race conditions, timing constraints, or memory layout prerequisites to reliably trigger the overflow.
Blast Radius
- The attacker executes arbitrary code in the context of the user running Remote Desktop Client, gaining full control over that user's session.
- Confidential data accessible to that user, including credentials, documents, and session tokens, is readable by the attacker.
- The attacker can write or modify files, registry keys, and application data on the victim host.
- The attacker can crash or destabilize the Remote Desktop Client process and any dependent workflows.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE activates within minutes of ingestion for any customer image that includes an affected version of the Remote Desktop Client or a Windows base layer in the listed version ranges. Where compliance policy permits, auto-remediation rebuilds the affected image at a patched fix version, runs regression tests, and opens a PR against impacted workloads. For environments with auto-remediation enabled, the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. For customers who have not enabled auto-remediation, HarborGuard surfaces the finding with the CVSS 7.5 HIGH score and links to the upstream Microsoft advisory so teams can act manually. Compensating controls to consider while coordinating a patch rollout include network-policy rules that restrict outbound RDP connections from sensitive hosts and user-awareness measures to discourage connections to untrusted RDP endpoints.
Fix available
- Microsoft / Remote Desktop client for Windows Desktop< 1.2.7214.0 (from 1.2.0.0)
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows App Client for Windows Desktop< 2.0.1193.0 (from 1.00)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C