CVE-2026-50504 exposes information from vulnerable Windows Remote Desktop clients when a user connects to a malicious or compromised RDP server. Microsoft fixed the buffer over-read in its July 14, 2026 security updates, covering supported Windows 11 releases, multiple Windows 10 editions, and Windows Server versions dating back to Server 2012.
Detailed in Microsoft’s Security Response Center advisory, the vulnerability is rated Important with a CVSS 3.1 base score of 6.5. Microsoft describes it as a network-accessible information disclosure flaw that requires user interaction but does not require the attacker to hold privileges on the target computer.
The National Vulnerability Database had not completed its independent enrichment as of July 15, but its Microsoft-issued record identifies the underlying weakness as CWE-126, or a buffer over-read. The practical action for administrators is straightforward: deploy the July cumulative security updates and verify that endpoints capable of initiating Remote Desktop sessions have reached the fixed build for their Windows version.
The distinction between Remote Desktop Client and Remote Desktop Services matters here. CVE-2026-50504 is not described as an attacker connecting directly to an exposed Windows RDP server and extracting data without assistance. Instead, the vulnerable component is on the machine initiating the Remote Desktop connection.
Microsoft’s CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In operational terms, the attack can cross a network, requires low attack complexity and no prior privileges, but depends on the victim taking an action—most plausibly connecting the affected client to an attacker-controlled RDP endpoint.
That interaction requirement lowers the likelihood of indiscriminate, worm-like exploitation. It does not make the flaw harmless. Administrators, support personnel, developers, and contractors routinely open RDP connections to systems outside their immediate workstation trust boundary, sometimes using connection files supplied by another party.
A successful exploit could disclose information from memory outside the buffer that the Remote Desktop client was supposed to read. Microsoft rates the confidentiality impact as high, while assigning no direct integrity or availability impact. The advisory does not claim that CVE-2026-50504 can modify files, execute code, elevate privileges, or crash the client.
The precise contents recoverable through the over-read have not been publicly documented. Consequently, defenders should avoid assuming that a successful attack necessarily reveals credentials—or that it cannot reveal sensitive session, application, or process data. The confirmed issue is unauthorized disclosure; the exact value and repeatability of the exposed memory remain less clear.
The patched build thresholds published with the CVE record are:
Windows 10 versions 21H2 and 22H2 also remain in the product record. Organizations receiving updates for these branches through applicable servicing or extended-support arrangements should confirm that July’s security content has reached them rather than treating the end of mainstream Windows 10 servicing as proof that the devices are irrelevant to the CVE.
For inventory work, the build number is more reliable than checking whether Windows Update merely reports that an update was attempted. Administrators can inspect
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no exploitation, judged the issue not readily automatable, and described its technical impact as partial. Those assessments fit the user-interaction requirement: an attacker must place a malicious RDP destination in front of a victim and persuade or cause that victim to connect.
This gives administrators room to follow controlled testing and deployment procedures rather than initiating the sort of emergency containment associated with an unauthenticated Remote Desktop Services remote-code-execution flaw. It does not justify leaving administrator workstations or Remote Desktop jump hosts unpatched through another update cycle.
CVE-2026-50504 was also one of several Remote Desktop-related information disclosure vulnerabilities addressed in Microsoft’s July release. The Zero Day Initiative cataloged additional Remote Desktop Client flaws alongside separate RDP protocol issues, all carrying the same 6.5 score. Deploying the cumulative update therefore closes a collection of related exposures rather than only this single CVE.
Organizations unable to patch immediately should reduce opportunities for users to initiate RDP sessions toward untrusted systems. Remote Desktop connection files received through email, ticketing systems, chat platforms, or public downloads deserve particular scrutiny, as do requests to connect directly to unfamiliar IP addresses.
Network controls can provide supporting protection by limiting outbound RDP traffic from ordinary workstations and forcing administrative sessions through approved jump hosts. Such restrictions are useful defense in depth, but they do not replace updating the client: trusted servers can be compromised, and administrators may still be directed to infrastructure outside established allowlists during support work.
Security teams should also review whether outbound RDP is broadly permitted and whether downloaded
Microsoft has confirmed the vulnerability, identified its buffer over-read root cause, supplied a CVSS vector, and published fixed build boundaries. What remains undisclosed is the exact memory material an attacker can recover and whether reliable exploitation will emerge.
Until more technical research appears, installing the July 14 cumulative updates and validating the resulting OS build is the defensible endpoint. The next meaningful milestone will be either public exploit analysis or evidence of attacks, but Windows fleets do not need to wait for either before removing the vulnerable Remote Desktop client code.
Detailed in Microsoft’s Security Response Center advisory, the vulnerability is rated Important with a CVSS 3.1 base score of 6.5. Microsoft describes it as a network-accessible information disclosure flaw that requires user interaction but does not require the attacker to hold privileges on the target computer.
The National Vulnerability Database had not completed its independent enrichment as of July 15, but its Microsoft-issued record identifies the underlying weakness as CWE-126, or a buffer over-read. The practical action for administrators is straightforward: deploy the July cumulative security updates and verify that endpoints capable of initiating Remote Desktop sessions have reached the fixed build for their Windows version.
The Client Is the Exposed Side of the Connection
The distinction between Remote Desktop Client and Remote Desktop Services matters here. CVE-2026-50504 is not described as an attacker connecting directly to an exposed Windows RDP server and extracting data without assistance. Instead, the vulnerable component is on the machine initiating the Remote Desktop connection.Microsoft’s CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In operational terms, the attack can cross a network, requires low attack complexity and no prior privileges, but depends on the victim taking an action—most plausibly connecting the affected client to an attacker-controlled RDP endpoint.
That interaction requirement lowers the likelihood of indiscriminate, worm-like exploitation. It does not make the flaw harmless. Administrators, support personnel, developers, and contractors routinely open RDP connections to systems outside their immediate workstation trust boundary, sometimes using connection files supplied by another party.
A successful exploit could disclose information from memory outside the buffer that the Remote Desktop client was supposed to read. Microsoft rates the confidentiality impact as high, while assigning no direct integrity or availability impact. The advisory does not claim that CVE-2026-50504 can modify files, execute code, elevate privileges, or crash the client.
The precise contents recoverable through the over-read have not been publicly documented. Consequently, defenders should avoid assuming that a successful attack necessarily reveals credentials—or that it cannot reveal sensitive session, application, or process data. The confirmed issue is unauthorized disclosure; the exact value and repeatability of the exposed memory remain less clear.
July Updates Draw the Fixed-Build Line
Microsoft’s affected-product record spans a broad section of the Windows estate. It includes Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, supported Windows 10 branches, and Windows Server releases from 2012 through 2025.The patched build thresholds published with the CVE record are:
- Windows 11 24H2 systems are affected below build 26100.8875.
- Windows 11 25H2 systems are affected below build 26200.8875.
- Windows 11 26H1 systems are affected below build 28000.2269.
- Windows 10 22H2 systems are affected below build 19045.7548.
- Windows 10 21H2 systems are affected below build 19044.7548.
- Windows 10 version 1809 and Windows Server 2019 are affected below build 17763.9020.
- Windows 10 version 1607 and Windows Server 2016 are affected below build 14393.9339.
- Windows Server 2022 is affected below build 20348.5386.
- Windows Server 2025 is affected below build 26100.33158.
- Windows Server 2012 is affected below build 9200.26226, while Server 2012 R2 is affected below build 9600.23291.
Windows 10 versions 21H2 and 22H2 also remain in the product record. Organizations receiving updates for these branches through applicable servicing or extended-support arrangements should confirm that July’s security content has reached them rather than treating the end of mainstream Windows 10 servicing as proof that the devices are irrelevant to the CVE.
For inventory work, the build number is more reliable than checking whether Windows Update merely reports that an update was attempted. Administrators can inspect
winver, PowerShell inventory results, endpoint-management dashboards, or their patch-compliance platform and compare the installed OS build against Microsoft’s fixed threshold.No Known Exploitation Changes the Order, Not the Need
Microsoft reported no public disclosure and no known exploitation when it published CVE-2026-50504 on July 14. The Zero Day Initiative’s July security update review likewise listed the vulnerability as Important, scored 6.5, and neither publicly known nor under active attack.CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no exploitation, judged the issue not readily automatable, and described its technical impact as partial. Those assessments fit the user-interaction requirement: an attacker must place a malicious RDP destination in front of a victim and persuade or cause that victim to connect.
This gives administrators room to follow controlled testing and deployment procedures rather than initiating the sort of emergency containment associated with an unauthenticated Remote Desktop Services remote-code-execution flaw. It does not justify leaving administrator workstations or Remote Desktop jump hosts unpatched through another update cycle.
CVE-2026-50504 was also one of several Remote Desktop-related information disclosure vulnerabilities addressed in Microsoft’s July release. The Zero Day Initiative cataloged additional Remote Desktop Client flaws alongside separate RDP protocol issues, all carrying the same 6.5 score. Deploying the cumulative update therefore closes a collection of related exposures rather than only this single CVE.
Organizations unable to patch immediately should reduce opportunities for users to initiate RDP sessions toward untrusted systems. Remote Desktop connection files received through email, ticketing systems, chat platforms, or public downloads deserve particular scrutiny, as do requests to connect directly to unfamiliar IP addresses.
Network controls can provide supporting protection by limiting outbound RDP traffic from ordinary workstations and forcing administrative sessions through approved jump hosts. Such restrictions are useful defense in depth, but they do not replace updating the client: trusted servers can be compromised, and administrators may still be directed to infrastructure outside established allowlists during support work.
Patch the Machines That Make the Connections
The most consequential inventory mistake would be to search only for servers accepting inbound TCP port 3389. CVE-2026-50504 follows the client, so the priority set includes privileged access workstations, help-desk PCs, jump servers, virtual desktop administrator images, and any endpoint from which employees launch Remote Desktop sessions.Security teams should also review whether outbound RDP is broadly permitted and whether downloaded
.rdp files are treated as routine documents. A connection profile is an instruction to contact and negotiate with another machine; in this threat model, that destination is the attacker’s entry point into the vulnerable client’s memory handling.Microsoft has confirmed the vulnerability, identified its buffer over-read root cause, supplied a CVSS vector, and published fixed build boundaries. What remains undisclosed is the exact memory material an attacker can recover and whether reliable exploitation will emerge.
Until more technical research appears, installing the July 14 cumulative updates and validating the resulting OS build is the defensible endpoint. The next meaningful milestone will be either public exploit analysis or evidence of attacks, but Windows fleets do not need to wait for either before removing the vulnerable Remote Desktop client code.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com