Microsoft has patched CVE-2026-54990, a heap-based buffer overflow in the Windows Remote Desktop Client that could let an unauthenticated attacker execute code across a network. The flaw carries a CVSS 3.1 score of 9.8 out of 10, making July’s cumulative Windows updates a priority for organizations whose employees or administrators regularly initiate Remote Desktop connections.
Microsoft disclosed the vulnerability through the Microsoft Security Response Center on July 14, 2026, classifying it as Important despite the near-maximum CVSS score. Zero Day Initiative’s July security update review confirms that Microsoft had not identified public disclosure or active exploitation when the update shipped.
The practical concern is on the client side: a Windows computer can be placed at risk when its Remote Desktop software communicates with infrastructure controlled or compromised by an attacker. That shifts attention from the familiar problem of exposed RDP servers to the workstations and administrative jump boxes used to reach them.
Remote Desktop security discussions usually start with TCP port 3389, internet-facing servers, weak credentials, and Network Level Authentication. CVE-2026-54990 requires a different threat model because the affected component is the Remote Desktop Client, not simply the service accepting inbound RDP sessions.
Microsoft’s CVSS vector indicates a network-reachable attack with low complexity, no required privileges, and no user interaction. A successful exploit could compromise confidentiality, integrity, and availability, the three impact categories that produce the vulnerability’s 9.8 base score.
The underlying weakness is identified as CWE-122, a heap-based buffer overflow. Such flaws arise when software writes more data into a heap allocation than the allocation can hold, potentially corrupting adjacent memory. If an attacker can control the malformed data and the resulting memory state, the crash condition may be developed into arbitrary code execution.
Microsoft has not publicly provided exploit code or a detailed packet-level walkthrough. Administrators should therefore avoid assuming that a particular RDP option, authentication method, gateway configuration, or firewall rule eliminates the issue unless Microsoft explicitly documents that mitigation.
The client-side classification suggests that an attacker would need to influence the Remote Desktop endpoint or traffic processed by the client. That could include persuading a target to connect to an attacker-controlled system, compromising an RDP host that administrators already trust, or redirecting a connection through supporting infrastructure. These are plausible scenarios based on the affected component and score, rather than attack paths Microsoft has fully documented.
The July 14 cumulative updates move supported systems to patched build levels:
Microsoft says it is not currently aware of any issues affecting KB5101650. The Windows Server 2025 release notes retain a previously documented WSUS reporting limitation, but do not identify a new known issue specific to the Remote Desktop correction.
Administrators should verify installation by checking the operating-system build rather than relying solely on a successful deployment status in an endpoint-management console. Machines that were powered off, disconnected from VPN, excluded by a servicing ring, or left in a pending-restart state can appear covered in inventory reports while still running vulnerable files.
Server Core should not be treated as exempt merely because it lacks the full desktop shell. Microsoft explicitly lists Windows Server 2025 Server Core as affected, which matters for hardened management hosts and infrastructure servers where administrators may assume that a reduced graphical footprint removes client-oriented exposure.
Microsoft severity ratings incorporate product-specific attack scenarios and expected exploitation paths, while CVSS represents technical characteristics through a standardized scoring model. An Important label can therefore coexist with a high score if Microsoft believes exploitation depends on circumstances not adequately communicated by the compact vector.
That distinction should inform prioritization, but it should not become an excuse to delay the fix. CVE-2026-54990 combines remote code execution, network reachability, low attack complexity, no privileges, and no user interaction in its published metrics. Even without evidence of exploitation, those properties justify expedited testing and deployment on systems that make outbound RDP connections.
The absence of known exploitation is a snapshot taken when Microsoft published the advisory on July 14. It does not predict how quickly researchers or threat actors may reverse-engineer the updated binaries, particularly now that patched and unpatched versions can be compared.
Microsoft marks the report confidence as confirmed, meaning the vulnerability’s existence has been acknowledged and sufficient technical evidence is available to validate it. That status is not an indication that public exploit instructions already exist, but it removes uncertainty over whether the underlying security defect is real.
A malicious or compromised RDP endpoint could be especially dangerous in environments where administrators routinely connect to temporary virtual machines, customer systems, laboratory networks, or recovery hosts. An attacker who compromises one destination may be able to target the more valuable client connecting to it, reversing the usual assumption that the administrator’s workstation is the trusted side of the session.
Until updates are fully deployed, IT teams can reduce exposure by limiting RDP connections to known destinations, routing administrative access through controlled gateways, and avoiding unsolicited
Those hardening changes are useful, but they should not be mistaken for substitutes for the CVE fix. Restricting destinations and signed connection files may reduce opportunities to direct users toward malicious endpoints; only installation of the relevant security update corrects the vulnerable Remote Desktop Client code.
Security teams should also monitor unexpected outbound RDP traffic and connections to newly registered, unmanaged, or unusual hosts. Endpoint detection products may identify suspicious child processes, memory corruption, or post-exploitation behavior even if they cannot recognize the initial malformed RDP exchange.
Remote Desktop alone received multiple corrections. July’s release includes the Critical-rated CVE-2026-50474 and Important-rated CVE-2026-58594, both also described as Remote Desktop Client remote-code-execution vulnerabilities. Microsoft additionally addressed CVE-2026-56190 in Remote Desktop Protocol, several RDP information-disclosure bugs, and CVE-2026-58626 in Windows Remote Desktop Services.
That concentration makes selective deployment risky. Applying a narrow workaround for CVE-2026-54990 would leave other July Remote Desktop weaknesses unresolved, while installing the supported cumulative update addresses the component as part of Microsoft’s tested servicing package.
For enterprise IT, the immediate milestone is straightforward: deploy KB5101650, KB5101649, or KB5099536 according to the installed Windows release, complete the required restart, and verify the resulting build. Privileged systems that initiate RDP sessions should be patched first, because CVE-2026-54990 turns the machine opening the connection into the potential target.
Microsoft disclosed the vulnerability through the Microsoft Security Response Center on July 14, 2026, classifying it as Important despite the near-maximum CVSS score. Zero Day Initiative’s July security update review confirms that Microsoft had not identified public disclosure or active exploitation when the update shipped.
The practical concern is on the client side: a Windows computer can be placed at risk when its Remote Desktop software communicates with infrastructure controlled or compromised by an attacker. That shifts attention from the familiar problem of exposed RDP servers to the workstations and administrative jump boxes used to reach them.
A Client Flaw Changes the Direction of Attack
Remote Desktop security discussions usually start with TCP port 3389, internet-facing servers, weak credentials, and Network Level Authentication. CVE-2026-54990 requires a different threat model because the affected component is the Remote Desktop Client, not simply the service accepting inbound RDP sessions.Microsoft’s CVSS vector indicates a network-reachable attack with low complexity, no required privileges, and no user interaction. A successful exploit could compromise confidentiality, integrity, and availability, the three impact categories that produce the vulnerability’s 9.8 base score.
The underlying weakness is identified as CWE-122, a heap-based buffer overflow. Such flaws arise when software writes more data into a heap allocation than the allocation can hold, potentially corrupting adjacent memory. If an attacker can control the malformed data and the resulting memory state, the crash condition may be developed into arbitrary code execution.
Microsoft has not publicly provided exploit code or a detailed packet-level walkthrough. Administrators should therefore avoid assuming that a particular RDP option, authentication method, gateway configuration, or firewall rule eliminates the issue unless Microsoft explicitly documents that mitigation.
The client-side classification suggests that an attacker would need to influence the Remote Desktop endpoint or traffic processed by the client. That could include persuading a target to connect to an attacker-controlled system, compromising an RDP host that administrators already trust, or redirecting a connection through supporting infrastructure. These are plausible scenarios based on the affected component and score, rather than attack paths Microsoft has fully documented.
Windows 11 and Server 2025 Are in the Patch Path
Microsoft’s published affected-product data identifies Windows 11 versions 24H2, 25H2, and 26H1, along with Windows Server 2025 and its Server Core installation option. Both x64 and Arm64 Windows 11 systems are included where applicable.The July 14 cumulative updates move supported systems to patched build levels:
- Windows 11 versions 24H2 and 25H2 receive KB5101650, bringing the operating systems to builds 26100.8875 and 26200.8875 respectively.
- Windows 11 version 26H1 receives KB5101649, moving systems to build 28000.2525.
- Windows Server 2025 receives KB5099536, moving systems to build 26100.33158.
Microsoft says it is not currently aware of any issues affecting KB5101650. The Windows Server 2025 release notes retain a previously documented WSUS reporting limitation, but do not identify a new known issue specific to the Remote Desktop correction.
Administrators should verify installation by checking the operating-system build rather than relying solely on a successful deployment status in an endpoint-management console. Machines that were powered off, disconnected from VPN, excluded by a servicing ring, or left in a pending-restart state can appear covered in inventory reports while still running vulnerable files.
Server Core should not be treated as exempt merely because it lacks the full desktop shell. Microsoft explicitly lists Windows Server 2025 Server Core as affected, which matters for hardened management hosts and infrastructure servers where administrators may assume that a reduced graphical footprint removes client-oriented exposure.
The “Important” Rating Should Not Slow Deployment
The contrast between Microsoft’s Important severity label and the 9.8 CVSS score is likely to create confusion in patch dashboards. Zero Day Initiative called out CVE-2026-54990 as one of several July vulnerabilities showing that Microsoft’s severity categories do not always track directly with numerical CVSS ratings.Microsoft severity ratings incorporate product-specific attack scenarios and expected exploitation paths, while CVSS represents technical characteristics through a standardized scoring model. An Important label can therefore coexist with a high score if Microsoft believes exploitation depends on circumstances not adequately communicated by the compact vector.
That distinction should inform prioritization, but it should not become an excuse to delay the fix. CVE-2026-54990 combines remote code execution, network reachability, low attack complexity, no privileges, and no user interaction in its published metrics. Even without evidence of exploitation, those properties justify expedited testing and deployment on systems that make outbound RDP connections.
The absence of known exploitation is a snapshot taken when Microsoft published the advisory on July 14. It does not predict how quickly researchers or threat actors may reverse-engineer the updated binaries, particularly now that patched and unpatched versions can be compared.
Microsoft marks the report confidence as confirmed, meaning the vulnerability’s existence has been acknowledged and sufficient technical evidence is available to validate it. That status is not an indication that public exploit instructions already exist, but it removes uncertainty over whether the underlying security defect is real.
Administrative Workstations Carry the Highest Operational Risk
CVE-2026-54990 deserves special attention on privileged access workstations, help-desk systems, jump servers, developer machines, and IT laptops. These devices often initiate connections to many servers and may hold credentials, management tools, VPN access, SSH keys, browser sessions, and administrative tokens that amplify the impact of a client compromise.A malicious or compromised RDP endpoint could be especially dangerous in environments where administrators routinely connect to temporary virtual machines, customer systems, laboratory networks, or recovery hosts. An attacker who compromises one destination may be able to target the more valuable client connecting to it, reversing the usual assumption that the administrator’s workstation is the trusted side of the session.
Until updates are fully deployed, IT teams can reduce exposure by limiting RDP connections to known destinations, routing administrative access through controlled gateways, and avoiding unsolicited
.rdp files. Microsoft’s July Windows 11 update also adds support for SHA-2 certificate thumbprints for trusted RDP publishers and supplies new Group Policy guidance for controlling which RDP files users can open.Those hardening changes are useful, but they should not be mistaken for substitutes for the CVE fix. Restricting destinations and signed connection files may reduce opportunities to direct users toward malicious endpoints; only installation of the relevant security update corrects the vulnerable Remote Desktop Client code.
Security teams should also monitor unexpected outbound RDP traffic and connections to newly registered, unmanaged, or unusual hosts. Endpoint detection products may identify suspicious child processes, memory corruption, or post-exploitation behavior even if they cannot recognize the initial malformed RDP exchange.
July’s RDP Fixes Extend Beyond One CVE
CVE-2026-54990 arrived in an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities, including 145 remote-code-execution flaws and three zero-days across the wider product portfolio.Remote Desktop alone received multiple corrections. July’s release includes the Critical-rated CVE-2026-50474 and Important-rated CVE-2026-58594, both also described as Remote Desktop Client remote-code-execution vulnerabilities. Microsoft additionally addressed CVE-2026-56190 in Remote Desktop Protocol, several RDP information-disclosure bugs, and CVE-2026-58626 in Windows Remote Desktop Services.
That concentration makes selective deployment risky. Applying a narrow workaround for CVE-2026-54990 would leave other July Remote Desktop weaknesses unresolved, while installing the supported cumulative update addresses the component as part of Microsoft’s tested servicing package.
For enterprise IT, the immediate milestone is straightforward: deploy KB5101650, KB5101649, or KB5099536 according to the installed Windows release, complete the required restart, and verify the resulting build. Privileged systems that initiate RDP sessions should be patched first, because CVE-2026-54990 turns the machine opening the connection into the potential target.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com