CVE-2026-50474: KB5101650 Fixes Windows Remote Desktop RCE

CVE-2026-50474 is a critical Remote Desktop Client vulnerability that can let an unauthenticated attacker execute code after a Windows user initiates a malicious remote desktop connection. Microsoft fixed the flaw in its July 14, 2026 security updates, including KB5101650 for Windows 11 versions 24H2 and 25H2.
Detailed in Microsoft’s Security Update Guide, the vulnerability carries a CVSS 3.1 score of 8.8 out of 10. It affects supported Windows clients and servers ranging from Windows Server 2012 to Windows 11 version 26H1, making prompt deployment important anywhere administrators, support personnel, or employees use Remote Desktop Connection.
The National Vulnerability Database identifies the underlying weakness as a use-after-free memory error in the Remote Desktop Client. Microsoft had not reported exploitation in the wild or public disclosure as of July 15, and CISA’s initial assessment similarly recorded no known exploitation.

Cybersecurity illustration showing an outbound RDP client detecting a use-after-free attack across connected servers.The Vulnerable Side Is the Client​

The most important distinction is that CVE-2026-50474 targets the Remote Desktop Client, not a Windows machine merely listening for incoming RDP sessions. The exposed system is the computer from which a user launches a connection.
Microsoft’s CVSS vector specifies network access, low attack complexity, no privileges required, and user interaction. That combination indicates an attacker must persuade or otherwise cause a target to connect to attacker-controlled Remote Desktop infrastructure. Once the connection is initiated, the malicious endpoint could return crafted network data that triggers the client’s memory-handling flaw.
This is therefore not described as a wormable, pre-authentication flaw capable of automatically spreading among systems exposing TCP port 3389. Blocking inbound RDP from the internet remains sensible security practice, but it does not directly remove this client-side attack path because the vulnerable machine makes the outbound connection.
Potential delivery routes include phishing messages containing Remote Desktop connection files, fraudulent technical-support instructions, compromised administrative documentation, and links directing users toward an untrusted RDP host. Microsoft has not published exploit code or a full technical walkthrough, so those routes are practical scenarios inferred from the client-side design rather than confirmed attack campaigns.
A successful exploit could compromise confidentiality, integrity, and availability, according to Microsoft’s CVSS assessment. In practical terms, code could execute with the privileges of the user running the Remote Desktop Client. An administrator launching the connection would consequently present a more valuable target than a tightly restricted standard account.

July Updates Establish the Safe Build Line​

Microsoft’s CVE record identifies the first non-vulnerable build level for each affected Windows branch. Administrators should confirm that endpoints have reached these builds or a later cumulative update rather than relying solely on a dashboard that says updates were recently installed.
Key client thresholds include:
  • Windows 11 version 24H2 must be updated to OS build 26100.8875 or later.
  • Windows 11 version 25H2 must be updated to OS build 26200.8875 or later.
  • Windows 11 version 26H1 receives the July fixes through KB5101649, which advances systems to OS build 28000.2525.
  • Windows 10 version 22H2 must reach OS build 19045.7548.
  • Windows 10 version 21H2 must reach OS build 19044.7548.
For Windows 11 versions 24H2 and 25H2, KB5101650 supplies OS builds 26100.8875 and 26200.8875 respectively. Microsoft says it is not currently aware of general issues with that update, although distribution has been temporarily withheld from a limited number of Dell PCs with Intel processors because of a separate compatibility problem involving shutdowns, heat, battery drain, and reduced performance.
Windows 10 versions 21H2 and 22H2 receive their corresponding fixes through KB5099539. Those releases now largely depend on Enterprise LTSC, IoT Enterprise LTSC, or Extended Security Updates eligibility because regular Windows 10 version 22H2 support ended on October 14, 2025. An unsupported Windows 10 PC that is not enrolled in ESU should not be assumed protected simply because Microsoft lists the version in the CVE’s affected-product data.
The server impact is similarly broad. Fixed build thresholds include 14393.9339 for Windows Server 2016, 17763.9020 for Windows Server 2019, 20348.5386 for Windows Server 2022, and 26100.33158 for Windows Server 2025. Windows Server 2022 receives build 20348.5386 through KB5099540.
Server Core installations are also listed as affected for several releases. That matters because the absence of the full desktop shell does not necessarily mean the Remote Desktop client component is absent or unreachable through management tooling and installed roles.

Patch the Workstations That Administrators Use First​

Traditional RDP remediation often focuses on servers accepting remote connections. CVE-2026-50474 reverses that priority: privileged access workstations, help-desk PCs, jump boxes, and administrator laptops are the systems most likely to initiate large numbers of RDP sessions and encounter unfamiliar destinations.
Organizations using Windows Server Update Services, Microsoft Configuration Manager, Windows Update for Business, or Intune should prioritize those client populations during the July rollout. Verification should include OS build inventory, update installation status, and restart state because cumulative update deployment is not complete until the new binaries are active.
Security teams should also review how .rdp files reach users. Remote Desktop files obtained from email, chat platforms, ticket attachments, shared folders, and public websites deserve the same suspicion as other files capable of steering a trusted application toward attacker-controlled content.
Microsoft’s July cumulative updates separately expand RDP file protections by adding support for SHA-2 certificate thumbprints for trusted publishers. SHA-1 remains available for backward compatibility but is planned for removal, and Microsoft recommends moving managed RDP publishers to SHA-256 or stronger algorithms.
That hardening does not replace the CVE-2026-50474 patch. It can, however, make it harder to disguise untrusted connection files as approved corporate resources when organizations configure the relevant Remote Desktop Connection Client Group Policy settings.
Administrators who cannot deploy immediately can reduce exposure by limiting outbound RDP connections to approved hosts and gateways, restricting the use of downloaded .rdp files, and avoiding privileged sessions from general-purpose workstations. Network controls are most useful when they permit connections only to known management ranges rather than allowing arbitrary outbound RDP traffic.
Endpoint monitoring should watch for Remote Desktop Client processes connecting to unusual external addresses, particularly when launched shortly after a browser, email client, collaboration application, or archive utility writes an .rdp file. These are compensating controls, not substitutes for correcting the vulnerable memory handling.

High Impact Does Not Mean Active Exploitation​

The supplied confidence-metric description explains how certainty about a vulnerability and the available technical detail affect urgency. In this case, the existence and root-cause category are not speculative: Microsoft issued the CVE, classified it as CWE-416, supplied affected-version ranges, and shipped corrected Windows builds.
What remains limited is public exploit knowledge. The NVD was still awaiting its own enrichment analysis on July 15, while Microsoft’s CVSS data provided the principal severity assessment. CISA recorded exploitation as “none,” automation as “no,” and technical impact as “total.”
That status should prevent CVE-2026-50474 from being misrepresented as an actively exploited zero-day. It should not push the flaw to the bottom of an enterprise patch queue, because an 8.8 client-side RCE affecting tools routinely used by privileged staff offers an attractive phishing and lateral-movement opportunity if reliable exploit details emerge.
The practical deadline is the next time a user or administrator connects to an untrusted or compromised RDP destination. Systems running Windows 11 24H2 or 25H2 should reach KB5101650, Windows 11 26H1 should receive KB5101649, and eligible Windows 10 deployments should install KB5099539 before Remote Desktop activity resumes outside tightly controlled infrastructure.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top