Microsoft’s July 14, 2026 security updates patched a Remote Desktop Protocol (RDP) information-disclosure vulnerability that could let attackers read sensitive data from unpatched Windows systems. Tracked as CVE-2026-55003, the flaw is rated Important with a CVSS 3.1 base score of 6.5, and it affects every supported Windows client and server release—from Windows 10 1607 all the way up to the just-released Windows 11 26H1.
The bug isn’t another BlueKeep or a remote-code-execution free-for-all. Instead, it stems from how Windows RDP handles an uninitialized resource (CWE-908). An attacker who successfully exploits it could steal confidential information from a target machine’s memory, but the attack requires user interaction and cannot be automated end-to-end. Microsoft and the Zero Day Initiative both confirm no public disclosure or active attacks against this vulnerability as of patch release.
That said, any hole in a service that sits on the trust boundary between your network and the internet demands swift attention. Here’s what you need to know, who is affected, and exactly what to do next.
The Vulnerability Details
CVE-2026-55003 exists because RDP does not properly initialize a resource before using it. That uninitialized resource can contain leftover data from previous operations—data an attacker shouldn’t be able to see. When the vulnerable code runs, that memory content may leak across a remote session. Microsoft’s advisory doesn’t detail what specific types of data an attacker could retrieve, but the CVSS vector assigns a high confidentiality impact. That implies more than a trivial metadata leak, though it doesn’t guarantee credentials or session tokens are directly accessible.
The attack vector is network-accessible, requires no privileges, and has low attack complexity. However, the “user interaction required” label puts a meaningful brake on exploitation: some action by a logged-on user must occur as part of the attack chain. Microsoft hasn’t spelled out that interaction publicly, so defenders shouldn’t assume that forcing Network Level Authentication (NLA) eliminates the risk. While NLA reduces the attack surface, it isn’t documented as a complete mitigation for this CVE.
Critically, this is an information-disclosure vulnerability—not a code-execution bug. An attacker can’t use it to install ransomware, add user accounts, or pivot laterally. The immediate risk is loss of confidentiality, which still matters enormously on systems that process sensitive data.
Who Is Affected?
The list of affected platforms covers nearly every current Windows installation. Desktops, laptops, servers, and even Server Core installations are included. Here is the full breakdown:
| Platform | Affected Versions | Corrected Build |
|---|---|---|
| Windows 10 | 1607, 1809, 21H2, 22H2 (x86, x64, ARM64) | 19045.7548 (22H2); 19044.7548 (21H2); 14393.9339 (1607); 17763.9020 (1809) |
| Windows 11 24H2 | All editions (x64, ARM64) | 26100.8875 |
| Windows 11 25H2 | All editions (x64, ARM64) | 26200.8875 |
| Windows 11 26H1 | All editions (x64, ARM64) | 28000.2525 |
| Windows Server 2012 / 2012 R2 | All editions, including Server Core | Varies; requires Extended Security Updates |
| Windows Server 2016 | All editions, including Server Core | 14393.9339 |
| Windows Server 2019 | All editions, including Server Core | 17763.9020 |
| Windows Server 2022 | All editions, including Server Core | 20348.5386 |
| Windows Server 2025 | All editions, including Server Core | 26100.33158 |
If your system runs any of these, you need the July 2026 cumulative update. Older builds without the fix are vulnerable. The only exception is Windows Server 2012 and 2012 R2: mainstream support ended years ago. Those machines require an active Extended Security Updates (ESU) license or another eligible servicing plan to receive the patch. Without ESU, simply checking Windows Update won’t deliver the fix.
Why This Matters for Your Network
A 6.5-severity CVE can easily get lost in a busy Patch Tuesday when critical remote-code-execution flaws dominate headlines. But RDP’s position at the network edge makes this bug more important than its medium score suggests. Any Windows machine with RDP exposed to the internet—directly on TCP 3389—is a prime target. Attackers routinely scan for open RDP ports, and an information-disclosure flaw that requires some user interaction but no credentials is a tempting reconnaissance tool.
For home users, the practical risk is low if your PC isn’t accepting Remote Desktop connections from the internet, which it shouldn’t be by default. Most consumer Windows editions disable RDP unless you manually turned it on. If you use Remote Desktop within your own home network only, an attacker still needs a foothold on that network to exploit this CVE. Patching is still wise, but urgency is moderate.
For businesses, the calculus changes completely. Remote Desktop Services, jump hosts, virtual desktop infrastructure (VDI), and third-party remote access tools that rely on Windows RDP are all potentially vulnerable. An internet-facing Remote Desktop Gateway or a published Terminal Server is a high-priority target. Even internally, an attacker who has already compromised a single workstation could scan the LAN for RDP services and attempt to exploit this flaw from within. If that attacker can trick a logged-in user into some action—perhaps through a phishing lure—they could siphon memory contents from a critical server.
Microsoft hasn’t disclosed what information leaks, but in similar uninitialized-memory bugs, researchers have recovered cryptographic keys, partial credentials, or internal memory structures that help defeat address-space layout randomization (ASLR). That makes this bug a potential stepping stone to more serious attacks, even if it isn’t a direct takeover itself.
How to Protect Your Systems
Patching is the only sure fix, and it starts with verifying your build number—not trusting the update history log alone. Cumulative Windows updates can sometimes fail silently or roll back, leaving you below the corrected threshold. Use winver on any endpoint or server to check the OS build, then compare it to the table above. Deployment tools and inventory scanners should query the build number directly.
Once you’ve confirmed that a machine needs the patch, follow these steps in order of priority:
- Scan for exposed RDP services. Use your network scanner or a simple PowerShell command (
Test-NetConnection -ComputerName localhost -Port 3389) to find machines listening on TCP 3389. Identify which of those are reachable from the internet or untrusted network zones. - Shut down internet-facing RDP where possible. If you have servers with port 3389 open to the world, replace that access with a VPN, Remote Desktop Gateway, or Azure Virtual Desktop. If you must keep direct RDP open temporarily, restrict source IP addresses with firewall rules.
- Deploy July 2026 cumulative updates. Start with the most exposed systems: gateways, connection brokers, and session hosts accessible from the internet or guest networks. Use your usual patch management process; if you need to test, prioritize completing testing on exposed systems within 48–72 hours.
- Enforce Network Level Authentication (NLA). While NLA doesn’t fully mitigate CVE-2026-55003, it does require authentication before a session is established, closing off one avenue for the attacker. Combine NLA with the patch for defense-in-depth.
- Monitor RDP logs. In Event Viewer, look for event IDs 4625 (failed logons) and 4776 (credential validation) on RDP-facing machines. Unusual patterns, such as spikes in failed connections from external IPs, could indicate probing or exploit attempts.
- Verify the fix. After patching, re-check build numbers and test Remote Desktop functionality—especially RemoteApp, smart-card redirection, and clipboard policies—to ensure stability.
For Windows Server 2012/2012 R2, if you don’t have ESU licensing, your options are limited. Microsoft may release rare out-of-band patches for unsupported systems if a massive threat emerges, but that hasn’t happened here. The only guaranteed path is to purchase ESU or move those workloads to a supported OS.
Looking Ahead
The absence of public exploit code or active attacks doesn’t mean CVE-2026-55003 will stay under the radar. Patch Tuesday releases are carefully analyzed by researchers and attackers alike, and it’s only a matter of time before someone reverse-engineers the July updates to figure out how to trigger the uninitialized-memory leak. An information-disclosure bug with a forced user interaction might not launch a worm, but it could be folded into multi-stage attacks that combine phishing with data extraction.
Keep an eye on your security feeds for proof-of-concept code. If one surfaces, the urgency for internet-facing systems will spike from “patch soon” to “patch immediately.” In the meantime, treat this as a routine but high-importance update: it’s not a catastrophe, but ignoring it could hand an attacker a quiet beachhead.