CVE-2026-45639 RDP Info Disclosure: Confirmed Memory Read—Patch Guidance

Microsoft has confirmed a new information disclosure vulnerability in the Windows Remote Desktop Protocol (RDP) that could allow unauthenticated attackers to read sensitive memory contents from vulnerable servers. Tracked as CVE-2026-45639 and rated Important, the flaw was disclosed on June 9, 2026, as part of the company’s monthly security update cycle. The vulnerability stems from an out-of-bounds read in the RDP protocol implementation, enabling a remote attacker to craft malicious packets that force the server to leak memory—potentially exposing credentials, encryption keys, or other confidential data.

What is CVE-2026-45639?

CVE-2026-45639 is a security vulnerability in Microsoft’s implementation of the Remote Desktop Protocol. It is classified as an information disclosure bug, meaning it can reveal information but does not directly enable code execution or privilege escalation. The underlying cause is an out-of-bounds (OOB) read, a classic memory safety error where the software accesses data beyond the bounds of an allocated buffer. In the context of RDP, this likely occurs during the processing of specific protocol sequences—such as connection negotiation, channel setup, or session licensing—allowing an attacker to query server memory without first authenticating.

Microsoft’s advisory categorizes the attack vector as low complexity and requiring no user interaction. An unauthenticated attacker can exploit the flaw by sending specially crafted RDP packets to a target system. While the vulnerability does not grant the attacker control over which memory is read, repeated exploitation could map out portions of server memory over time, yielding a patchwork of sensitive information.

Technical Breakdown

An out-of-bounds read vulnerability occurs when software trusts an incoming value—such as a length field in a network packet—without proper validation, causing it to read memory locations outside the intended buffer. In RDP, the protocol uses numerous TPKT/COVS messages, virtual channel exchanges, and security handshake steps. A malformed field in one of these messages could trick the server’s RDP stack into misinterpreting a pointer or buffer size, resulting in an OOB read that sends the unintended memory contents back to the attacker.

For example, during the initial connection sequence, the RDP server may request certain client capabilities or license information. If the server’s parsing logic fails to check the bounds of a variable-length buffer, an attacker can supply a crafted packet that triggers a memory read beyond that buffer’s allocated region. The leaked data could include stack or heap memory fragments containing session keys, cached credentials, or even data from other active RDP sessions on the same server.

Despite its classification as Important rather than Critical, the unauthenticated nature of the flaw makes it a serious concern for any Windows machine with RDP exposed to untrusted networks. Information disclosure bugs are often used as reconnaissance tools or chained with other exploits to achieve more severe compromise.

Affected Systems

Microsoft has not published an exhaustive list of affected platforms in its initial advisory, but CVE-2026-45639 impacts all supported versions of Windows that include the Remote Desktop service. This typically encompasses:

• Windows 10 (all supported editions)
• Windows 11 (version 23H2, 24H2, and later)
• Windows Server 2016, 2019, and 2022
• Windows Server 2025 (if already released)
• Potentially older, out-of-support versions if they share the same RDP codebase

Specific KB articles and security-only updates have been released for each platform. Administrators should consult the Microsoft Security Update Guide for precise patch numbers and download links. Notably, the vulnerability affects both Standard and Datacenter editions, and is independent of the RDP role configuration—any system with the Remote Desktop service enabled, even if not actively used for remote administration, is theoretically vulnerable.

Exploitation and Impact

An attacker successfully exploiting CVE-2026-45639 could collect arbitrary fragments of kernel or user-mode memory from the target RDP server. While they cannot directly control which memory addresses are read, a persistent attacker can repeatedly trigger the bug and statistically accumulate sensitive data. Potential exposure includes:

• Encryption keys: TLS private keys used to secure RDP connections, which could then be used to decrypt captured traffic.
• Authentication tokens: NTLM hashes, Kerberos tickets, or plaintext credentials that happen to reside in memory.
• Session data: Clipboard contents, displayed screen data, or typed inputs from other users’ RDP sessions.

Because the attack requires no authentication, threat actors can scan the internet for exposed RDP ports (TCP 3389) and launch exploitation at scale. In internal networks, a compromised workstation could pivot to RDP servers and harvest secrets for lateral movement. Although no proof-of-concept code was publicly available at the time of disclosure, past history with RDP vulnerabilities suggests that working exploits often surface within days or weeks.

Patch Guidance and Mitigations

Microsoft addressed CVE-2026-45639 in its June 2026 security updates. The patches correct the bounds-checking logic in the affected RDP components, preventing the out-of-bounds read. All organizations using Windows systems with RDP should prioritize deployment of these patches, especially on perimeter-accessible servers.

To apply the fix:
1. Open Windows Update and check for updates, or visit the Microsoft Update Catalog to download the specific package for your operating system.
2. For managed environments, deploy updates via WSUS, Microsoft Endpoint Configuration Manager, or other patch management tools.
3. Reboot affected systems as required.

If immediate patching is not feasible, temporary workarounds can reduce risk:
- Disable Remote Desktop: If RDP is not essential, disable the service entirely via System Properties or Group Policy.
- Network restrictions: Use firewalls to limit RDP access to trusted IP ranges or VPN connections only.
- Enable Network Level Authentication (NLA): While the vulnerability is described as unauthenticated, NLA forces authentication before the RDP session is established, which may block some attack paths—though Microsoft has not confirmed that NLA fully mitigates this specific flaw.
- RDP Gateways: Deploy RD Gateway with proper SSL/TLS inspection to proxy connections, adding an additional layer that could filter malicious packets.

Community Response and Detection

On Windows forums and IT community sites, administrators are actively discussing the implications of CVE-2026-45639. Early reactions highlight the challenge of securing RDP in environments where remote access is critical. Several forum members noted that they have already observed increased RDP scan activity following the disclosure, though no confirmed in-the-wild exploits have been reported yet.

For detection, security teams can monitor Windows event logs for anomalous RDP connection attempts, particularly those with unusual packet sizes or protocol errors. Intrusion detection systems (IDS) and network monitoring tools can be tuned to flag malformed RDP traffic. Additionally, memory dump analysis on suspect servers may reveal unusual read patterns if exploitation is suspected.

Historical Context and Lessons

CVE-2026-45639 is the latest in a long line of RDP-related vulnerabilities Microsoft has addressed over the years. Notable predecessors include the infamous BlueKeep (CVE-2019-0708), a remote code execution flaw that prompted a global patching frenzy, and DejaBlue (CVE-2019-1181/1182), another set of wormable RDP bugs. While this new disclosure is only an information leak, it reinforces the persistent attack surface presented by RDP.

For IT administrators, the vulnerability underscores three enduring principles:
1. Patch promptly: Monthly security updates are non-negotiable for any internet-facing service.
2. Minimize exposure: RDP should never be exposed to the open internet without a VPN, RD Gateway, or Zero Trust network model.
3. Layer defenses: Even with patching, defense-in-depth—including network segmentation, multifactor authentication, and continuous monitoring—remains essential.

Looking Ahead

As organizations apply the June 2026 patches, attention will turn to the broader ecosystem. Third-party RDP clients and servers, such as those used in virtualization and cloud platforms, may also be affected if they share the vulnerable code. Microsoft is unlikely to release further technical details until the update has been widely adopted, but the security community expects a detailed technical write-up to emerge in the coming weeks.

For now, the key takeaway is straightforward: verify your patch level for CVE-2026-45639, confirm that your RDP end points are not exposed unnecessarily, and stay vigilant for any signs of exploitation. The window between patch release and exploit development is often narrow, and this vulnerability’s unauthenticated nature makes it an attractive target for attackers worldwide.