Microsoft’s July 2026 security updates, released on July 14, address a serious remote code execution flaw in the Windows Remote Desktop Protocol (RDP) client. Tracked as CVE-2026-58594 and rated Important with a CVSS score of 8.8, the vulnerability could let an unauthenticated attacker run malicious code on a target’s PC simply by convincing the user to connect to a specially crafted RDP server.
While patching is the same for everything from home machines to corporate fleets, the stakes are higher for anyone using RDP with elevated privileges. Here’s what’s changing, who’s at risk, and exactly what to do about it.
What’s Actually Changing in July’s Patches
The fix rolls out through the standard cumulative updates for all supported Windows versions. The root cause is an integer overflow or wraparound flaw in how the RDP client processes protocol data—an attacker who controls the remote endpoint can send malformed data that triggers code execution on the connecting system.
These are the minimum build numbers you need to verify after patching:
- Windows 10 version 21H2: OS Build 19044.7548
- Windows 10 version 22H2: OS Build 19045.7548
- Windows 11 version 24H2: OS Build 26100.8875
- Windows 11 version 25H2: fixed via KB5101650 (build varies by branch)
- Windows 11 version 26H1: OS Build 28000.2525
- Windows Server 2025: OS Build 26100.33158
For 10 Extended Security Updates and LTSC deployments, the key package is KB5099539. Windows 11 24H2 and 25H2 get KB5101650. If you manage servers, check Server Core instances too—they’re listed as affected and often handle privileged RDP sessions.
Who’s Affected and How the Attack Works
“Remote Desktop Client” is the phrase that makes this different from the server-side RDP nightmares of past years. The bug is triggered when your machine reaches out to a compromised or malicious destination—not when someone knocks on your port 3389. In practice, that means a threat actor must first get you to open an RDP connection to an endpoint they control.
That can happen through a phishing email with an .rdp file, a fake helpdesk link, a fraudulent remote‑support session, or even a trusted server that has itself been compromised. Once the connection starts, the attacker’s endpoint can deliver crafted RDP protocol data that exploits the overflow and executes code in the security context of your user account.
For home users or anyone who only fires up Remote Desktop occasionally to reach a known machine, the risk is modest if you never connect to untrusted destinations. The danger climbs sharply for IT staff, contractors, and power users who routinely RDP into unfamiliar or externally hosted systems—especially when logged in with local or domain administrator privileges.
The Real‑World Risk: Not Wormable, But Hardly Benign
Microsoft says exploitation hasn’t been seen publicly, and CISA’s threat data marks the bug as “not automatable.” That makes it less urgent than a zero‑day being actively exploited, but it doesn’t mean you can wait. A vulnerability confirmed by the vendor, with patched binaries publicly available, invites reverse engineering and the creation of proof‑of‑concept code.
If an attacker succeeds, the CVSS vector shows high impact across confidentiality, integrity, and availability—meaning they could read, change, or delete anything on the machine, or install malware, within the limits of the victim account. On a privileged admin workstation, that could be the keys to an entire domain.
How We Got Here: A Refresher on RDP Client Attacks
The RDP client has been hardened repeatedly over the years, most recently in April 2026 when Microsoft added more explicit safety prompts during connection setup. Those prompts show the remote computer name and requested resource redirections—drives, clipboard, cameras, smart cards—before a user clicks “Connect.” That’s a useful social‑engineering defense, but it doesn’t stop the underlying code‑execution bug fixed this month.
Historically, RDP vulnerabilities have been either server‑side (like BlueKeep’s wormable horror) or client‑side issues that need user interaction. CVE‑2026‑58594 is firmly in the second category, and it underscores why security training always says “don’t connect to machines you don’t know.” But when the threat arrives disguised as a routine IT support request, that advice gets harder to follow without technical controls.
What You Should Do Now
1. Install the July updates—and check the build number.
Don’t trust a dashboard that says “fully patched.” Reboot completed and the OS build matching the table above is the only reliable proof.
2. Review how .rdp files reach your users.
If email attachments, download links, or helpdesk tickets can carry .rdp files, consider blocking them at the gateway or flagging them for review. Signed .rdp files offer some pedigree, but Microsoft’s own guidance warns that a signature alone is no guarantee of safety.
3. Enforce privileged access workstations (PAWs) and separate accounts.
Administrators should never use their domain‑admin credentials to connect to remote desktops that aren’t tightly managed. Dedicated admin workstations and separate accounts for remote access limit the blast radius of any client‑side exploit.
4. Turn on the April 2026 RDP safety prompts if you haven’t already.
They won’t patch CVE‑2026‑58594, but they give a user one last chance to notice that the remote address doesn’t look right. Combine them with training that teaches users to verify destinations out of band—for example, by calling the helpdesk before accepting a remote session.
5. Monitor for the unexpected.
The vulnerability may not be exploitable until a connection is made, but anomalous outbound RDP traffic to new IP addresses or unusual domains can flag a potential attempt. Tune detection and response so that one bad click doesn’t cascade.
Outlook: What to Watch Next
Microsoft has released only a high‑level description of the integer overflow, with no public proof of concept. The National Vulnerability Database hasn’t yet enriched the CVE with independent analysis, which is typical for a Tuesday disclosure. Expect deeper technical breakdowns from security researchers as they diff the patches. If exploitation starts appearing in the wild, Microsoft or CISA will update their advisories—keep an eye on those channels for any change in status. For now, the single most effective control is getting the July cumulative update onto every Windows client that ever touches Remote Desktop.