Microsoft’s July 14, 2026 Patch Tuesday release closes an information-disclosure vulnerability in Windows Remote Desktop Protocol that can leak potentially sensitive memory contents to an unauthenticated attacker—provided they can trick a user into connecting to a malicious endpoint. The bug, assigned CVE-2026-50497 and rated Important with a CVSS score of 6.5, affects every supported client and server version of Windows and demands immediate attention on any machine where RDP is enabled or routinely used.

There is no evidence of active exploitation yet, and the flaw does not grant attackers the ability to run code or crash systems. But because it crosses a network boundary with no authentication requirement and can yield high-confidentiality data, ignoring it on internet-facing or administrative systems is a gamble no organization should take.

The patch, the bug, and the builds

CVE-2026-50497 stems from two programming weaknesses catalogued by the National Vulnerability Database: CWE-193 (off-by-one error) and CWE-908 (use of uninitialized resource). An off-by-one error in buffer management can cause the RDP stack to read one byte beyond an intended boundary, while reliance on uninitialized memory means that byte could contain leftover data from previous operations—a classic combination for information leaks.

Microsoft’s CVSS vector lays out the attack surface clearly: network-accessible, low complexity, no privileges required, but user interaction is mandatory. In other words, an attacker cannot simply scan for open port 3389 and exfiltrate secrets autonomously. A user on the target machine must participate, likely by connecting to a rogue RDP server or falling victim to a man-in-the-middle scenario. Once that happens, confidentiality takes a high hit; integrity and availability remain unaffected.

The advisory confirms the vulnerability across a sweeping list of Windows releases, including long-term servicing editions and Server Core installations. Below are the affected versions and the minimum OS builds that contain the fix (all builds are from July 2026 cumulative updates):

Windows Version Fixed Build
Windows 10 1607 / Server 2016 14393.9339
Windows 10 1809 / Server 2019 17763.9020
Windows 10 21H2 19044.7548
Windows 10 22H2 19045.7548
Windows 11 24H2 26100.8875
Windows 11 25H2 26200.8875
Windows 11 26H1 28000.2269
Windows Server 2012 9200.26226
Windows Server 2012 R2 9600.23291
Windows Server 2022 20348.5386
Windows Server 2025 26100.33158

Server Core installations of 2016, 2019, and 2025 are explicitly included. If you run an older LTSC release or an embedded SKU that shares the same kernel version, assume it is also vulnerable until you verify against this table.

Who’s exposed — and who isn’t

The practical risk hinges on how RDP is used in your environment. Microsoft ships Home editions with the Remote Desktop service disabled by default, but it can be turned on for remote assistance scenarios. If you ever clicked “Allow remote connections to this computer” in System Properties, you’re in the affected pool. Power users running Project or Enterprise editions, who frequently enable RDP for headless VMs or home lab management, should treat this as a priority patch.

For IT professionals and administrators, the calculus is starker. The vulnerability affects Remote Desktop Session Hosts, jump servers, administrative workstations, and any server running the RDP role—including domain controllers and file servers that may not face the internet but are accessible from compromised endpoints inside the network. Because the bug can disclose information from the RDP process’s memory, and such processes often handle authentication tokens, encryption keys, or configuration details, a successful leak could grease the wheels for a larger attack chain.

Crucially, exposure isn’t limited to machines that accept inbound connections. The user-interaction requirement means that a workstation from which an administrator launches an RDP session to a rogue server is just as vulnerable. That flips the usual threat model: it’s not just about protecting your listeners; it’s about controlling where your users connect from.

The off-by-one that blabs secrets

Off-by-one errors are as old as C itself—a classic boundary mistake where a loop or buffer operation iterates one byte too many or too few. In the context of RDP’s protocol handling, Microsoft hasn’t provided a blow-by-blow of where the slip occurs, but the presence of CWE-908 suggests that the out-of-bounds read returns uninitialized memory rather than crashing the process. That’s what turns a common code-quality bug into a security vulnerability: the attacker gets to peek at whatever data happened to sit in that memory slot.

Because the attack requires user interaction, social engineering enters the picture. A likely attack pattern: an adversary sets up a convincing remote desktop service—perhaps mimicking a third-party support tool or a compromised jump host—and convinces a target to connect. Once the connection triggers the vulnerable code path, the attacker obtains data from the client’s RDP stack. The CVSS metric rates report confidence as “confirmed,” meaning Microsoft acknowledges the flaw exists and is exploitable. However, no public exploit code has surfaced as of this writing.

This isn’t another BlueKeep or DejaBlue. Those were remote code execution flaws that could self-propagate. CVE-2026-50497 is an information-gathering tool—a reconnaissance weapon, not a takeover. In a mature attack chain, it could be paired with a privilege escalation or credential-theft technique to escalate access. Defenders should view it as one piece of a puzzle, not the whole threat.

The fix, and how to verify it

Windows Update will deliver the July 14 cumulative updates automatically according to your active deferral policies. But merely seeing “update installed” is not enough. Microsoft’s update history can show a successful install while a system remains at a vulnerable build number if servicing stack problems or pending reboots interfere. Always validate the OS build.

To check your build:
- Open winver.exe (Run dialog or Start search) and note the OS Build line.
- In PowerShell: Get-ComputerInfo | Select WindowsVersion, OsBuildNumber
- For fleet-wide verification, use Microsoft Endpoint Configuration Manager, Windows Update for Business reports, or a vulnerability scanner that can assess build numbers against NVD data.

Compare what you find against the fixed builds in the table above. If your build is lower, force a check for updates (Settings > Windows Update > Check for updates) or deploy the standalone cumulative update package from the Microsoft Update Catalog for your edition. Reboot when prompted.

Systems on extended servicing arrangements—Windows Server 2012, 2012 R2, and older Windows 10 LTSC releases—must ensure they are still receiving extended security updates. Without an active ESU license, these machines will not be offered the patch and will remain vulnerable indefinitely.

Reducing your RDP attack surface right now

Patching is only half the story. RDP remains one of the most targeted protocols on the internet, and good hygiene blunts the impact of both known and unknown vulnerabilities.

  • Disable RDP where it isn’t needed. On clients, set the “Allow Remote Desktop” toggle to Off under Settings > System > Remote Desktop. On servers, remove the Remote Desktop Services role if the machine is not functioning as a session host or VDI node.
  • Require Network Level Authentication. NLA forces authentication before a session is created, reducing the window for pre-authentication attacks. Microsoft’s CVSS vector does not indicate NLA as a complete mitigation for CVE-2026-50497, but it remains a crucial barrier against many RDP exploits.
  • Block TCP and UDP 3389 at the perimeter. Never expose RDP directly to the internet. Use a VPN, Windows Server’s Remote Desktop Gateway role, or a zero-trust access proxy to provide authenticated, encrypted tunnels. Changing the listening port offers no real security—scanner scripts adjust in seconds.
  • Restrict outbound RDP. Through Windows Firewall or endpoint protection products, limit which networks and hosts a machine can initiate RDP connections to. This directly counteracts the user-interaction component of this CVE.
  • Monitor and alert. Enable RDP-specific audit logging. Track Event IDs for successful and failed network logons, and flag connections to unfamiliar IP addresses or country codes.

These steps are not specific to CVE-2026-50497—they are evergreen recommendations for any environment that takes remote access seriously.

Beyond the patch: what to watch for

Microsoft’s advisory is sparse on technical detail, a common posture when a patch first ships. The NVD entry was marked “awaiting enrichment” on release day, meaning third-party analysts will soon dissect the fix and publish deeper explanations. As that research appears, attack tools incorporating the off-by-one leak may follow. Organizations should expect penetration-testing frameworks to add modules for this CVE in the coming weeks.

Simultaneously, the July 2026 Patch Tuesday release addresses dozens of other vulnerabilities. While CVE-2026-50497 is the only RDP-specific item, any security update that touches the networking stack or authentication components can interact in unexpected ways. Test the full cumulative update in a staging environment before wide deployment, even if the RDP bug alone seems low-impact.

The bottom line: this is not a five-alarm fire that demands an emergency-out-of-band patch. It is a medium-severity flaw with a clear—and easily verifiable—remediation path. Given how widely RDP underpins remote administration, and how valuable the information it can expose often is, installing the update and locking down the protocol remain the prudent course.