CVE-2026-45639: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.2.7214.0
- Affected Products
- 22
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability in Windows Remote Desktop Protocol (RDP) allows an unauthenticated attacker to disclose sensitive information over the network. The flaw is reachable without any prior authentication and requires no interaction from a logged-in user, meaning a remote attacker can trigger it by sending crafted RDP traffic to an exposed host. Successful exploitation reads memory contents from the affected RDP process, leaking data the attacker should not be able to access. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected versions of Windows or the Remote Desktop client.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Windows container images. Any image carrying an affected version of the Windows RDP component is flagged automatically, regardless of how the image was assembled.
AvailableHarborGuard scores this CVE at CVSS 7.5 (HIGH) and weights findings against each customer environment's compliance policy to prioritize routing. Triage tickets are directed to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailablePatched-image rebuilds at the applicable fix versions (1.2.7214.0, 2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, and corresponding Windows 10/11 patch levels) are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test pass, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the RDP service over the network; any host with RDP exposed on the network is in scope.
- AuthenticationNot required
No credentials are needed; the attacker can trigger the out-of-bounds read before any login handshake completes.
- Victim interactionNot required
No action from a logged-in user or administrator is required to trigger the vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.
Blast Radius
- A successful attacker reads raw memory contents from the RDP process, which may include session tokens, credentials, or other in-memory data belonging to active or recent RDP sessions.
- Leaked memory contents can be used to stage follow-on attacks, such as session hijacking or credential reuse against other services.
- Integrity and availability of the host are not directly affected; the impact is limited to unauthorized disclosure of in-process data.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image carrying an affected Windows RDP component version, covering both vendor-supplied and custom-built Windows container images. Where compliance policy permits, a patched-image rebuild at the appropriate fix version is made available automatically. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who prefer manual remediation can review the flagged images and fix versions in the HarborGuard dashboard and apply the relevant Microsoft patches (Windows Update KB or Remote Desktop client update to 1.2.7214.0 or later). Until patched, limiting network access to RDP ports via network policy or firewall rules reduces exposure for hosts that cannot be immediately updated.
Fix available
- Microsoft / Remote Desktop client for Windows Desktop< 1.2.7214.0 (from 1.2.0.0)
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows App Client for Windows Desktop< 2.0.1193.0 (from 1.00)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C