CVE-2026-50497: Patch Windows RDP Information Disclosure

CVE-2026-50497 exposes sensitive information through Windows Remote Desktop Protocol, affecting supported Windows 10, Windows 11, and Windows Server releases until administrators install Microsoft’s July 14, 2026 security updates. Microsoft rates the flaw Important with a CVSS 3.1 score of 6.5, reflecting potentially high confidentiality loss without direct code execution or system disruption.
Detailed in the Microsoft Security Response Center’s July 2026 advisory, the vulnerability is an off-by-one error that can allow an unauthorized network attacker to disclose information. The National Vulnerability Database lists the underlying weaknesses as CWE-193, an off-by-one error, and CWE-908, use of an uninitialized resource.
The vulnerability was published as part of Microsoft’s July 2026 Patch Tuesday release. Although it does not carry the Critical rating associated with RDP remote-code-execution flaws, systems exposing Remote Desktop deserve prompt patching because the attack crosses a network boundary and requires no attacker privileges.

Cybersecurity diagram showing zero-trust remote access, firewalls, and a critical July 2026 RDP security update.A Network Attack With a Human in the Loop​

Microsoft’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, an attacker can reach the vulnerable component over a network, exploitation is considered low complexity, and the attacker does not need an existing account or elevated permissions.
The important constraint is UI:R, meaning user interaction is required. Microsoft’s public description does not yet spell out the exact interaction or the data structures exposed during exploitation. Administrators should therefore avoid assuming that every internet-facing RDP listener can be queried autonomously by an attacker; the available scoring indicates that a user must participate in the attack path.
That requirement reduces immediate exposure compared with a wormable, pre-authentication RDP vulnerability. It does not make the flaw harmless. Social engineering, crafted RDP connection workflows, or interactions with an attacker-controlled endpoint may provide the user-assisted path required to trigger vulnerable protocol handling.
A successful attack is scored as having a high confidentiality impact but no integrity or availability impact. CVE-2026-50497 is therefore not documented as allowing an attacker to alter files, take control of Windows, or crash the target. Its purpose in an attack chain would be disclosure: obtaining information that the attacker was not authorized to access.
The advisory’s report-confidence metric is marked confirmed. That means Microsoft, as the assigning authority and vendor, has confirmed the vulnerability rather than publishing a tentative or uncorroborated report. It does not mean that exploit code is public or that attacks have been observed.

The Vulnerable Code Spans Client and Server Generations​

The affected-product record covers a broad range of Windows builds, including editions still operating under extended servicing arrangements. Both desktop and server deployments are represented, and Server Core does not avoid the vulnerability.
Affected releases include:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected below their respective July 2026 fixed builds.
  • Windows 11 versions 24H2 and 25H2 are affected below build 8875 in their corresponding servicing branches.
  • Windows 11 version 26H1 is affected below build 28000.2269.
  • Windows Server 2012 and Windows Server 2012 R2 are affected, including Server Core installations.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
  • Windows Server 2016, 2019, and 2025 Server Core installations are explicitly included in Microsoft’s affected-product data.
The fixed build floors provide a direct way to verify remediation. Windows 10 version 1607 and Windows Server 2016 must reach build 14393.9339, while Windows 10 version 1809 and Windows Server 2019 must reach 17763.9020. Windows 10 versions 21H2 and 22H2 must reach builds 19044.7548 and 19045.7548 respectively.
Windows 11 version 24H2 must reach 26100.8875, and Windows 11 version 25H2 must reach 26200.8875. Windows 11 version 26H1 requires build 28000.2269.
On the server side, Windows Server 2012 must reach 9200.26226 and Windows Server 2012 R2 must reach 9600.23291. Windows Server 2022 requires build 20348.5386, while Windows Server 2025 requires build 26100.33158.
Those numbers are more useful than checking whether Windows Update merely reports that an update was attempted. Administrators can confirm the installed OS build with winver, PowerShell, endpoint-management inventory, or vulnerability-management tooling and compare it with the fixed floor for the relevant release.

RDP Exposure Still Shapes the Deployment Priority​

CVE-2026-50497 has a medium CVSS base score, but patch priority should account for deployment context. An RDP-enabled administrative workstation, Remote Desktop Session Host, jump server, or internet-accessible gateway presents a different risk profile from a Windows device where Remote Desktop is disabled and outbound RDP use is tightly controlled.
Organizations should identify systems that accept or initiate RDP connections, then prioritize those used by privileged administrators or exposed to untrusted networks. Remote Desktop Session Host farms and administrative jump boxes are especially sensitive because information disclosed from those systems could support later credential theft, address-layout discovery, or targeting of higher-impact weaknesses.
That last point remains an attack-chain concern rather than a documented outcome of CVE-2026-50497 itself. Microsoft has not publicly specified exactly what information can be recovered. Until deeper technical analysis emerges, defenders should distinguish the confirmed high confidentiality impact from speculation about the precise contents of leaked memory.
Network controls remain useful while cumulative updates move through testing. RDP should not be exposed directly to the public internet when a VPN, Remote Desktop Gateway, zero-trust access proxy, or other authenticated boundary can be used instead. Firewall rules should restrict TCP and UDP port 3389 to known management networks, although changing the port alone is not a meaningful security control.
Network Level Authentication is still a sensible RDP hardening measure, but Microsoft’s published scoring does not establish it as a complete mitigation for this vulnerability. Likewise, disabling clipboard, drive, printer, or device redirection can reduce data-transfer opportunities but should not be treated as a substitute for the security update.

Patch Verification Matters More Than the Severity Label​

Administrators should deploy the July 14 cumulative update for each supported Windows branch and then verify that the resulting build meets or exceeds Microsoft’s corrected version. Older Windows Server 2012 and 2012 R2 systems require particular attention because receiving patches depends on the organization’s applicable extended-support arrangement and update process.
Security teams should also review outbound RDP activity, not only inbound port exposure. The user-interaction requirement means that workstations from which help-desk personnel, developers, and administrators launch Remote Desktop connections may be relevant to the attack surface.
There is currently little public technical detail beyond Microsoft’s confirmed classification, CVSS vector, weakness identifiers, and affected build ranges. The NVD marked the record as awaiting enrichment on July 14, so independent analysis may subsequently clarify the vulnerable RDP message, the direction of the connection, and the information exposed.
For now, the operational response is straightforward: install the July 2026 Windows cumulative updates, verify the fixed build rather than relying solely on update status, and keep RDP behind authenticated network boundaries. CVE-2026-50497 is a disclosure bug, not a takeover by itself, but the systems most likely to use RDP are often the ones holding the information attackers value most.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top