CVE-2026-50445: Patch Windows RDP Memory Disclosure Flaw

Microsoft has patched CVE-2026-50445, an Important-rated information-disclosure vulnerability in Windows Remote Desktop Protocol that can expose sensitive memory contents to an unauthenticated attacker over a network. The flaw affects supported Windows 10, Windows 11, and Windows Server releases, making the July 14, 2026 security updates the required fix for most installations.
Detailed in Microsoft’s Security Update Guide and published with the July 2026 Patch Tuesday release, CVE-2026-50445 carries a CVSS 3.1 base score of 6.5. Microsoft describes the underlying weakness as a buffer over-read in Windows RDP, while the National Vulnerability Database maps it to CWE-126 and is still awaiting its own enrichment assessment.
Microsoft says the vulnerability was not publicly disclosed or exploited when the advisory was released. Its exploitability assessment is Exploitation Less Likely, but that rating should not be mistaken for a reason to leave internet-facing or business-critical RDP systems unpatched.

Cybersecurity concept showing servers, firewalls, RDP protection, malware threats, and network monitoring.A Buffer Over-Read Puts Confidentiality at Risk​

A buffer over-read occurs when software reads beyond the intended boundary of a memory buffer. The data returned from that unintended region can contain fragments belonging to another operation or component, potentially revealing information that the requester should never receive.
Microsoft’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. That translates into a network-accessible attack with low complexity and no privileges required, although successful exploitation requires user interaction. Microsoft has not publicly detailed the exact interaction, the RDP message involved, or the type of information that could be exposed.
The confidentiality impact is rated High, while integrity and availability impacts are both rated None. In other words, CVE-2026-50445 is not documented as allowing code execution, data modification, privilege escalation, or an RDP service outage by itself. Its documented consequence is unauthorized disclosure.
That distinction matters because RDP vulnerabilities are often discussed as though every flaw could become a wormable remote-code-execution event. This one does not carry that profile. It is nevertheless relevant to defenders because leaked memory can contain operational data that assists reconnaissance or supports a later stage of an attack.
The requirement for user interaction also complicates the phrase “unauthorized attacker over a network.” The CVSS vector confirms that an attacker does not need an existing account or privileges, but some action by a victim remains necessary. Until Microsoft publishes a fuller scenario, administrators should avoid assuming that simply exposing TCP port 3389 is sufficient for exploitation—or that the interaction requirement makes exposed systems safe.

The Affected List Spans Multiple Windows Generations​

The CVE record covers a broad range of client and server versions. Affected client releases include Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows 11 versions 24H2, 25H2, and 26H1.
On the server side, Microsoft identifies Windows Server 2012 and subsequent supported generations through Windows Server 2025, including corresponding Server Core installations where listed. That breadth points to shared RDP code rather than a regression confined to a single recent Windows branch.
Microsoft’s published fixed-build thresholds include:
  • Windows 10 version 1607 and Windows Server 2016 are fixed at build 14393.9339.
  • Windows 10 version 1809 and Windows Server 2019 are fixed at build 17763.9020.
  • Windows 10 versions 21H2 and 22H2 are fixed at builds 19044.7548 and 19045.7548, respectively.
  • Windows 11 version 24H2 and Windows Server 2025 are fixed at build 26100.8875.
  • Windows 11 version 25H2 is fixed at build 26200.8875.
  • Windows 11 version 26H1 had a fixed threshold of build 28000.2269 in the CVE record, with newer servicing builds also available.
Administrators should verify the installed cumulative update rather than treating an enabled Windows Update service as proof of remediation. Devices can remain below the fixed build because of paused updates, deployment rings, safeguard holds, failed installations, disconnected servicing, or pending restarts.
Older Windows Server installations deserve particular attention. Windows Server 2012 systems generally receive security servicing through Extended Security Updates, and organizations still running them may use separate deployment workflows from their regular Windows Update or Windows Server Update Services estate. An RDP server can therefore remain vulnerable even when newer servers in the same environment have already completed the July rollout.

RDP Exposure Still Determines Operational Priority​

Microsoft’s 6.5 score places CVE-2026-50445 in the Medium CVSS band, while Microsoft assigns an Important maximum severity rating. For enterprise patching, the useful question is not whether the number looks modest, but where the vulnerable RDP implementation is reachable and what data the host processes.
Internet-facing Remote Desktop Session Hosts, administrative jump servers, support workstations, virtual desktop infrastructure, and systems reachable from guest or contractor networks should move toward the front of the deployment queue. Domain controllers and management servers should also receive prompt attention if RDP is enabled, even when perimeter controls prevent direct internet access.
The immediate response remains installation of the applicable July 2026 cumulative security update. Microsoft has published an official fix, and no separate workaround or mitigation has been documented for CVE-2026-50445.
Existing RDP hardening still reduces exposure while updates move through testing:
  • Administrators should keep TCP and UDP port 3389 closed at the public perimeter unless there is an unavoidable operational requirement.
  • Remote access should be placed behind a VPN, Remote Desktop Gateway, zero-trust access proxy, or similarly controlled entry point.
  • Windows Defender Firewall rules should limit RDP sources to approved management networks and jump hosts.
  • Network Level Authentication should remain enabled, although Microsoft has not stated that NLA blocks this vulnerability.
  • Unused Remote Desktop Services should be disabled rather than left listening for occasional administrative convenience.
  • Security teams should monitor unexpected RDP connection attempts and user prompts while Microsoft’s published exploitation scenario remains limited.
These controls are not substitutes for the update. In particular, the CVSS designation of no privileges required means authentication controls alone should not be treated as a guaranteed barrier. Network restrictions reduce the number of systems and users an attacker can reach; the cumulative update removes the vulnerable code path.

“Confirmed” Describes Evidence, Not Active Exploitation​

The report-confidence metric included with the advisory is Confirmed. That classification means Microsoft, as the vendor and assigning authority, has confirmed the flaw and its technical basis. It does not mean exploitation has been confirmed in the wild.
At publication on July 14, Microsoft marked CVE-2026-50445 as not publicly disclosed and not exploited. It also rated exploitation less likely for the latest software release. The National Vulnerability Database received the Microsoft record the same day but had not yet supplied an independent CVSS assessment as of July 15.
Those details provide useful context for triage. There is no disclosed emergency requiring administrators to disconnect every RDP host immediately, but there is also little benefit in delaying a security update that corrects a network-reachable memory-disclosure condition across both desktop and server Windows editions.
Information-disclosure bugs can also become more important after researchers reverse-engineer the patch. Comparing pre-update and post-update RDP components may reveal the affected parsing path, clarify the required interaction, and determine whether leaked memory can expose credentials, session material, addresses, or only lower-value process data. Microsoft’s advisory does not currently answer those questions.
Organizations deploying the July updates should record fixed OS builds in vulnerability-management tooling and rescan RDP-capable assets after reboots. The practical milestone is straightforward: every reachable Windows RDP endpoint should be on the July 14, 2026 security level or a later cumulative update, with legacy servers checked separately rather than assumed to have followed the main deployment ring.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top