Two RDP Vulnerabilities in Windows Allow Sensitive Data Disclosure
Microsoft has patched two critical RDP vulnerabilities, CVE-2026-42908 and CVE-2026-45639, allowing unauthenticated attackers to expose sensitive memory data.
Microsoft has released security updates to address two significant vulnerabilities in the Windows Remote Desktop Protocol (RDP) that could allow unauthenticated attackers to disclose sensitive memory data. The flaws, identified as CVE-2026-42908 and CVE-2026-45639, were resolved as part of the June 9, 2026, security updates.
Both vulnerabilities are classified as information disclosure flaws stemming from out-of-bounds read conditions within the RDP stack. They have been rated as 'Important' by Microsoft, with a CVSS v3 base score of 7.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates that they can be exploited remotely over the network without any user interaction, by an unauthenticated attacker.
While these vulnerabilities do not directly lead to code execution or system compromise, they pose a significant risk by exposing sensitive memory contents. Successful exploitation of CVE-2026-42908 can reveal local memory addresses, which could weaken crucial exploit mitigations like Address Space Layout Randomization (ASLR). For CVE-2026-45639, an attacker might be able to read portions of process memory, potentially leading to the leakage of credentials, session tokens, or other sensitive protocol data.
Microsoft has assessed the likelihood of exploitation as 'Less Likely' and reported no evidence of in-the-wild abuse or publicly available exploits at the time of the advisory. However, the nature of these information disclosure bugs makes them valuable for attackers looking to chain with other vulnerabilities to achieve more impactful attacks, such as remote code execution or sandbox escapes.
The vulnerabilities affect a wide range of Windows client and server versions where RDP is enabled. This includes Windows 10 (versions 21H2, 22H2, 1607, 1809), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server versions from 2012 through 2022, as well as 2025. The Remote Desktop client and Windows App client for Windows Desktop are also impacted.
Both CVEs are associated with CWE-125, 'Out-of-bounds Read,' meaning the vulnerable RDP component reads data beyond the boundaries of an allocated buffer. This allows specially crafted RDP traffic to cause the service to return data from adjacent memory regions instead of only the intended protocol data. The fact that these vulnerabilities are reachable pre-authentication over the network is a particular concern for systems with RDP exposed to the internet.
Microsoft has provided official fixes through the June 9, 2026, Patch Tuesday updates. Organizations are strongly advised to apply these security updates or the corresponding cumulative/rollup packages for their affected Windows versions and RDP client builds. Priority should be given to systems with RDP exposed externally and critical backend servers, where memory disclosures could facilitate lateral movement or privilege escalation.
As a general security best practice, administrators should consider restricting RDP access to trusted networks, using VPNs or bastion hosts, enforcing strong authentication methods, and diligently monitoring for any unusual RDP connection patterns. Security researchers are expected to continue analyzing the patches for potential exploit primitives that could leverage these disclosed vulnerabilities.