CVE-2026-58546: Patch Windows RDP Client Data Leak July 14

Microsoft’s July 14, 2026 security updates fix CVE-2026-58546, a Windows Remote Desktop Client information-disclosure vulnerability that could let an unauthenticated attacker obtain data from a targeted machine over a network. The issue affects the client side of Remote Desktop rather than a Windows system merely configured to accept inbound RDP connections, making prompt patching especially important on administrator workstations, help-desk endpoints, jump boxes, and devices used to open .rdp files.
Microsoft’s Security Response Center describes the flaw as a use of an uninitialized resource in Windows RDP. NIST’s National Vulnerability Database has recorded Microsoft’s CVSS 3.1 rating as 6.5, Medium, with a vector that requires network reachability, no prior privileges, and user interaction. In practical terms, the vulnerable code path is likely reached when a user initiates or accepts a Remote Desktop connection crafted to trigger the problem; it is not described as a wormable server-side RDP flaw.
The July 14 release date matters. This is a Patch Tuesday fix now included in the latest cumulative updates for affected Windows releases, so organizations that have already completed their July servicing rollout should be covered. Those that defer workstation patches or maintain separately managed server and admin-device rings should treat RDP-capable endpoints as a distinct verification target.

A cybersecurity dashboard shows a secure remote desktop setup flagging a suspicious unknown-source RDP file.The Risk Is Data Exposure, Not Remote Code Execution​

CVE-2026-58546 is classified under CWE-908, Use of Uninitialized Resource. That weakness occurs when software uses a resource before it has been properly initialized, potentially exposing residual data or allowing an attacker to influence how the software handles memory or state.
Microsoft’s scoring indicates high confidentiality impact but no direct integrity or availability impact. That distinction is useful: this advisory does not say an attacker can run code, alter files, or crash Windows through the flaw. It does say the outcome could be disclosure of information, which is still a serious concern where the RDP client handles credentials, session material, clipboard content, mapped-drive metadata, internal hostnames, or sensitive work performed from privileged administration devices.
The requirement for user interaction should not be mistaken for a reason to postpone deployment. Remote Desktop connections are routinely initiated through saved .rdp files, published application workflows, remote-support tooling, email attachments, intranet portals, and handoffs between IT staff. Any environment where users connect to systems they do not fully control—or where an attacker could redirect a connection—has a plausible social-engineering angle.
NVD has not yet completed its independent enrichment of the record, but it reproduces Microsoft’s severity assessment and affected-version data. CISA’s SSVC entry currently marks exploitation as “none,” the flaw as not automatable, and the technical impact as partial. That means there is no public indication of active exploitation as of July 15, 2026, not that the vulnerability is harmless or that exploitation is impossible.

July’s Cumulative Updates Establish the Patch Line​

Microsoft lists a broad set of Windows client and server releases as affected, including Windows 10, Windows 11, Windows Server 2012 through Windows Server 2025, and Server Core installations. The practical remediation is to install the July 14 cumulative update or a later cumulative update for each supported servicing channel.
For the most commonly deployed desktop releases, Microsoft’s published fixed build thresholds are:
ProductProtected at or above
Windows 10 version 21H2OS Build 19044.7548
Windows 10 version 22H2OS Build 19045.7548
Windows 11 version 24H2OS Build 26100.8875
Windows 11 version 25H2OS Build 26200.8875
Windows 11 version 26H1OS Build 28000.2525
Microsoft’s July update documentation identifies KB5099539 as the package bringing Windows 10 21H2 and 22H2 to build 19044.7548 and 19045.7548 in the applicable ESU and LTSC channels. On Windows 11 24H2 and 25H2, KB5101650 brings systems to builds 26100.8875 and 26200.8875. Windows 11 26H1 receives build 28000.2525 through KB5101649.
Windows Server fleets need the same attention. Microsoft’s affected-version list places the remediation thresholds at build 14393.9339 for Windows Server 2016, 17763.9020 for Windows Server 2019, 20348.5386 for Windows Server 2022, and 26100.33158 for Windows Server 2025. Windows Server 2012 and 2012 R2 are also listed, at build 9200.26226 and 9600.23291 respectively, for systems still receiving the relevant extended servicing.
Administrators should validate installed builds rather than relying only on a successful deployment report. A Windows Update client can report compliance with a policy while a device remains pending restart, has rolled back an update, or sits in an exception ring. winver, the Settings update history, endpoint-management inventory, or a PowerShell build query can provide the needed confirmation.

RDP File Hygiene Is Still Part of the Fix​

The timing coincides with Microsoft’s continuing effort to harden the Remote Desktop Connection experience around .rdp files. Beginning with the April 2026 security updates, Microsoft introduced stronger warnings when users open RDP files and switched requested local-resource redirections off by default until a user explicitly enables them.
That change was designed to counter a different but adjacent risk: a malicious RDP file can steer a victim toward an attacker-controlled host and request access to local resources. Microsoft’s Remote Desktop guidance notes that redirected drives, clipboard data, smart cards, Windows Hello for Business credentials, WebAuthn authenticators, cameras, microphones, printers, and USB devices can create substantial exposure when granted to an untrusted remote system.
CVE-2026-58546 should therefore be handled as a patching issue first, but it reinforces the same operational lesson: Remote Desktop is not just a network service. On an administrator endpoint, the RDP client is a high-value application that bridges local resources, identity, and remote infrastructure.
Organizations should ensure that their deployment practices match that reality:
  • Apply the July 2026 cumulative update or a newer release to all Windows systems used to initiate Remote Desktop sessions.
  • Prioritize privileged access workstations, help-desk desktops, virtual desktop pools, server-management jump hosts, and engineering devices with saved RDP connections.
  • Restrict delivery of unsolicited .rdp files through mail and web controls, and require users to verify unexpected connection files through a separate channel.
  • Review which local resources are redirected into remote sessions, particularly drives, clipboard, smart cards, WebAuthn devices, cameras, and microphones.
  • Use signed RDP files and trusted-publisher policies where RDP files are a standard part of the environment.

A Broad Client Surface Makes Inventory the Hard Part​

The affected-product list is broader than the word “client” initially suggests because the Remote Desktop client is present on desktops and servers alike. A Server Core installation may not be anyone’s idea of a traditional desktop endpoint, but Microsoft still lists Server Core variants where the relevant RDP client components are available.
That is why scanning only internet-facing RDP servers would miss the point. An enterprise can have Network Level Authentication, firewall rules, an RD Gateway, MFA, and no exposed TCP 3389 listener—and still need to patch machines that use Remote Desktop to reach internal systems. The risk begins where a vulnerable Windows RDP client processes an attacker-controlled or compromised remote connection.
There is no indication that users need to disable Remote Desktop globally, revoke all saved connections, or make emergency configuration changes before installing the update. Microsoft has issued a standard security fix, CISA currently reports no known exploitation, and the CVSS score reflects a user-interaction requirement. But a Medium-rated disclosure flaw on a privileged admin endpoint can have outsized consequences because the information exposed may help an attacker move from a low-trust connection to higher-value systems.
The immediate milestone is simple: verify that every system which launches Remote Desktop Connection has crossed its July 14, 2026 build threshold. After that, the more durable work is making sure unexpected .rdp files—and the local resources they request—do not become the route attackers use to reach the patched client in the first place.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top