CVE-2026-54126: Fix Windows RDP Information Disclosure

CVE-2026-54126 exposes information through Windows Remote Desktop Protocol when an unauthenticated attacker persuades a user to interact with a malicious RDP endpoint. Microsoft fixed the out-of-bounds read in its July 14, 2026 security updates, covering supported Windows 10, Windows 11, and Windows Server releases.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 6.5. Microsoft classifies it as an information-disclosure vulnerability rather than remote code execution, but the affected component and potential confidentiality impact make it relevant to organizations that routinely use Remote Desktop.
The practical action is straightforward: administrators should deploy the July cumulative updates and confirm that systems have reached the patched build numbers. Restricting outbound RDP connections and avoiding untrusted .rdp files provide additional protection while updates move through testing rings.

Cybersecurity illustration showing protected computers, a firewall, and a server threatened by malware.A Malicious RDP Server Is the Key Condition​

Microsoft describes CVE-2026-54126 as a CWE-125 out-of-bounds read. This class of memory-safety error occurs when software reads beyond the boundary of an allocated buffer, potentially returning data that was never intended to leave the affected process.
The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, the attack can cross a network, requires low complexity, and does not require the attacker to hold an account or existing privileges. It does, however, require user interaction, which prevents the vulnerability from being treated as a fully autonomous, wormable RDP flaw.
That distinction matters. CVE-2026-54126 is not described as an attacker scanning port 3389 and immediately extracting memory from every reachable Windows host. The user-interaction requirement indicates that a victim must be induced to establish or participate in the malicious RDP exchange, such as by connecting to infrastructure controlled by the attacker.
Successful exploitation is scored as having a high confidentiality impact but no direct integrity or availability impact. In other words, Microsoft’s current assessment does not claim that the vulnerability lets an attacker modify data, execute code, or crash the target. Its documented consequence is unauthorized disclosure of information.
Microsoft also records the report confidence as confirmed, meaning the vulnerability and its technical basis have been validated rather than inferred from an incomplete report. That increases confidence in the advisory’s core findings, although Microsoft has not published enough low-level detail to determine precisely what process memory might be exposed in a successful attack.

The Affected Windows List Spans Client and Server​

The vulnerability reaches across several Windows generations. The National Vulnerability Database’s record, supplied by Microsoft, lists Windows 10 versions 1607, 1809, 21H2, and 22H2 alongside Windows 11 versions 24H2, 25H2, and 26H1.
On the server side, the affected set includes Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are explicitly covered where Microsoft maintains a separate affected-product entry.
The patched build thresholds provide administrators with a concrete compliance check:
  • Windows 10 version 1607 and Windows Server 2016 must reach build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 must reach build 17763.9020 or later.
  • Windows 10 versions 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548, respectively.
  • Windows 11 versions 24H2 and 25H2 must reach build 26100.8875 or 26200.8875, respectively.
  • Windows 11 version 26H1 must reach build 28000.2269 or later.
  • Windows Server 2022 must reach build 20348.5386 or later.
  • Windows Server 2025 must reach build 26100.33158 or later.
  • Windows Server 2012 must reach build 9200.26226 or later.
For Windows 11 24H2 and 25H2, the correction is included in July’s KB5101650 cumulative security update. Because cumulative updates supersede earlier servicing packages, organizations do not need to locate a separate RDP-only hotfix; installing the applicable July release or a later cumulative update supplies the corrected components.
Older Windows releases in the affected list may require Extended Security Updates or another eligible servicing arrangement. Their presence in the CVE record should not be interpreted as a guarantee that every unlicensed or out-of-support installation can obtain the update through ordinary Windows Update channels.

Information Disclosure Can Support a Larger Attack​

A CVSS score of 6.5 can make CVE-2026-54126 appear less urgent than the critical RDP remote-code-execution vulnerabilities patched in the same update cycle. It should nevertheless remain in the normal July deployment scope, particularly on administrative workstations and jump hosts.
Memory disclosure vulnerabilities are frequently valuable because the leaked data can weaken another protection or reveal information useful in a subsequent attack. Depending on the memory involved, disclosures can potentially expose addresses, protocol state, fragments of credentials, or other process data. Microsoft has not publicly stated that CVE-2026-54126 exposes any particular secret, so administrators should not assume that passwords or session tokens are necessarily recoverable.
The absence of documented code execution also means emergency measures such as disabling Remote Desktop across an entire estate may be disproportionate for this CVE alone. Exposure should instead be evaluated according to who can initiate RDP sessions, whether users receive .rdp files from outside the organization, and whether privileged administrators connect from general-purpose workstations.
Network Level Authentication remains a sensible baseline for inbound Remote Desktop deployments, but the published vector does not establish NLA as a complete workaround for CVE-2026-54126. Organizations should treat authentication controls, firewalls, Remote Desktop gateways, and connection-file restrictions as layers around the patch—not replacements for it.
The attack vector also makes outbound RDP governance relevant. Security teams often focus almost exclusively on preventing unauthorized inbound connections to Windows servers, while allowing workstations to initiate RDP sessions broadly. Limiting outbound TCP port 3389 to approved gateways and managed address ranges can reduce opportunities for users to connect directly to attacker-operated hosts.

July’s Update Is the Durable Fix​

Administrators should verify deployment through their usual Windows Update for Business, WSUS, Microsoft Configuration Manager, or Intune reporting. A vulnerability scanner may identify the relevant KB package, but checking the installed OS build is especially useful where later cumulative updates have superseded the original July package.
Endpoints that cannot be patched immediately should be kept away from untrusted RDP destinations. Users and help-desk staff should also be warned not to open unsolicited .rdp files or follow instructions that direct them to unfamiliar Remote Desktop servers.
CVE-2026-54126 was published on July 14, 2026, and the NVD had not yet completed its independent enrichment as of July 15. Microsoft’s supplied assessment nevertheless identifies the vulnerable code class, attack requirements, affected releases, and fixed build boundaries.
For most environments, this is a planned-but-prompt Patch Tuesday deployment rather than a disconnect-the-network emergency. The decisive milestone is whether every RDP-capable Windows client, server, jump box, and administrative workstation has crossed the applicable July 2026 patched build threshold.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top