On July 14, 2026, Microsoft rolled out its monthly security updates, closing a critical information disclosure hole in the Windows Remote Desktop Protocol (RDP) client. Tracked as CVE-2026-50504, the vulnerability allows an attacker to read sensitive data from the memory of any Windows machine that connects to a maliciously crafted RDP server. With a CVSS score of 6.5 and no user privileges required, the bug puts millions of devices at risk—but only if a user can be tricked into establishing a connection.
The Flaw at a Glance
CVE-2026-50504 is a buffer over-read weakness (CWE-126) in the Remote Desktop Client. When the client processes data from an RDP server, a vulnerable version can read beyond the allocated memory buffer, leaking whatever happens to reside there. Microsoft rates the confidentiality impact as “High,” meaning an attacker could potentially harvest passwords, session tokens, clipboard contents, or other application data.
Crucially, this is not a flaw in the RDP server component that listens for connections. The danger sits on the client side—the machine you use to connect to another desktop. So the attack scenario reverses the usual RDP threat model. Instead of an exposed server being breached, a compromised or fake server lies in wait for an unsuspecting victim. As soon as the user’s client establishes a session, the attacker can start reading memory from the victim’s PC.
The exploit requires user interaction (UI:R in the CVSS vector), meaning an attacker must lure or trick someone into opening a malicious RDP connection. Common tactics include phishing emails with attachment .rdp files, malicious links on websites, or even a rogue server disguised as a legitimate remote support endpoint. While this interaction requirement limits the potential for a fast-spreading worm, it’s a scenario that plays out daily in IT support, remote work, and vendor maintenance—where users routinely click connection shortcuts without a second thought.
Which Versions Need the Fix
Microsoft’s advisory covers a broad swath of the Windows ecosystem. All supported Windows 11 versions (24H2, 25H2, 26H1), Windows 10 21H2 and 22H2, and long-term servicing (LTSB/LTSC) editions like 1809 and 1607 are affected. The server side is not immune: Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 all carry the vulnerable client code if Remote Desktop is used to connect outward—even on Server Core installations, where administrators often use RDP to manage headless systems.
The July 14 cumulative updates bumped the fixed build numbers for each release. Here’s the full matrix of vulnerable and patched builds, as published by Microsoft:
| Windows Release | Vulnerable Below Build | Fixed Build (or later) |
|---|---|---|
| Windows 11 24H2 | 26100.8875 | 26100.8875+ |
| Windows 11 25H2 | 26200.8875 | 26200.8875+ |
| Windows 11 26H1 | 28000.2269 | 28000.2269+ |
| Windows 10 22H2 | 19045.7548 | 19045.7548+ |
| Windows 10 21H2 | 19044.7548 | 19044.7548+ |
| Windows 10 1809 / Server 2019 | 17763.9020 | 17763.9020+ |
| Windows 10 1607 / Server 2016 | 14393.9339 | 14393.9339+ |
| Windows Server 2022 | 20348.5386 | 20348.5386+ |
| Windows Server 2025 | 26100.33158 | 26100.33158+ |
| Windows Server 2012 | 9200.26226 | 9200.26226+ |
| Windows Server 2012 R2 | 9600.23291 | 9600.23291+ |
For home users on Windows 11 or Windows 10, the patch arrives via Windows Update as a cumulative package. Enterprise administrators employing WSUS, System Center, or third-party patch tools can deploy it through standard channels. The update applies to all editions, including IoT and LTSC, provided they’re still under support.
What It Means for You
The risk is tangible but targeted. If you never use Remote Desktop to connect to external servers—say you only connect within your home LAN to a known machine—your practical exposure is low. But many Windows users tap into RDP for technical support, remote work, or managing cloud-hosted virtual machines. That’s where the danger lies.
Home and Small-Business Users: The most likely attack vector is a .rdp file disguised as an innocent document. An email saying “Connect to your cloud PC” with an attachment could trigger the bug immediately upon opening if your system’s file associations launch the RDP client. Even if you manually enter a server address, a typo could land you on a lookalike domain controlled by attackers. The fallout could include leaked login credentials or sensitive information visible on your screen at that moment.
IT Administrators and Support Staff: This vulnerability is a landmine for environments where help-desk technicians, system admins, and developers frequently jump between machines using RDP. A single malicious server masquerading as a customer’s PC could siphon memory contents from the administrator’s workstation—potentially compromising privileged accounts or confidential data. The fix should be prioritized on all “jump boxes” or privileged access workstations (PAWs) that originate RDP sessions.
DevOps and Cloud Teams: Even if you rely on SSH or PowerShell for most tasks, RDP remains a common fallback for Windows VMs in Azure, AWS, or on-premises. Any automated tooling that opens RDP connections to untrusted or newly provisioned endpoints could become a conduit for exploitation until patched.
Crucially, Microsoft’s advisory assigns no impact to integrity or availability, meaning the bug does not allow the attacker to modify files or crash your system. But a high confidentiality impact can be devastating on its own. Memory contents could include authentication tokens, private keys, or personal data.
How We Got Here
RDP has been a cornerstone of Windows remote connectivity for decades, and its implementation has accumulated layers of protocol handling code. Buffer over-read vulnerabilities like CWE-126 are not new; they occur when software trusts external input to stay within defined limits, reading past the end of a buffer and spilling adjacent memory. Microsoft’s SDL and fuzzing practices have eliminated many such bugs, but as the protocol evolves with features like improved graphics streaming and USB redirection, complex parsers remain a rich target for researchers.
This isn’t the first RDP client information disclosure flaw. Just last year, CVE-2023-36743 highlighted a similar issue, and the July 2026 patch batch closed multiple related vulnerabilities, according to the Zero Day Initiative. The common thread is that the client trusts data from the server in ways that weren’t fully validated. In this case, Microsoft’s CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) underscores that exploitation requires no authentication and no elevated privileges, making it a low-barrier attack once social engineering succeeds.
The fact that the National Vulnerability Database had not completed its independent analysis as of July 15 is typical; NVD enrichment often lags behind vendor publication. But the detailed CVSS score and Microsoft’s own advisory provide enough information for defenders to act.
What to Do Now
1. Install the July 2026 cumulative update. For most Windows users, the simplest path is checking Windows Update and applying all pending patches. The update history will show a KB number, but you can verify the fix by checking the OS build (winver or System > About). Compare it against the fixed build list above.
2. Validate builds, not just update status. Windows Update sometimes fails silently, or a system might be stuck on a previous feature update. PowerShell or endpoint management tools can pull the current build number in bulk. Any device that can initiate RDP sessions must be above the threshold.
3. Review outbound RDP policies. If your organization doesn’t need all workstations to reach arbitrary RDP servers over TCP 3389, block it at the firewall. Establish a small set of approved jump hosts that are aggressively patched and monitored. This reduces the number of potential victims.
4. Treat .rdp files as executable content. Just as you wouldn’t open a random .exe from an email, treat .rdp attachments with extreme skepticism. Configure mail filters to flag or strip .rdp files, and train users to avoid double-clicking connection shortcuts they didn’t expect. For power users, consider changing the default program for .rdp to Notepad so that opening one reveals its plain-text contents rather than launching the client.
5. Harden administrative workstations. Apply the principle of least privilege: administrators should not browse the web, read email, or perform daily tasks from the same machine they use for sensitive RDP connections. Use dedicated PAWs that are fully patched and have limited access to untrusted networks.
6. Monitor for exploitation. While there are no known active attacks as of the patch date, security teams should watch for unusual RDP client behavior—e.g., connections to newly registered domains or IPs with no Whois history. Endpoint detection and response (EDR) tools can flag suspicious memory reads or process injections tied to mstsc.exe.
Outlook
Microsoft has acknowledged the vulnerability and provided a clean fix, but the story isn’t over. The true danger of information disclosure bugs often emerges after researchers publish proof-of-concept code, revealing what exactly can be plucked from memory. If it turns out that authentication tokens or master keys can be reliably harvested, the severity perception could climb. For now, the responsible course is to patch and tighten RDP habits. Keep an eye on Microsoft’s advisory page and security blogs for any updates on exploitation in the wild. The next Patch Tuesday may bring further refinements, but for CVE-2026-50504, the current cumulative update is your safest bet.