Microsoft patched a high-severity information disclosure vulnerability (CVE-2026-45639) in Windows Remote Desktop Protocol (RDP) on June 9, 2026, as part of its largest Patch Tuesday release ever affecting every major Windows version from Windows 10 to Windows Server 2025.
The flaw, tracked as CVE-2026-45639, stems from an out-of-bounds read condition in the Windows RDP stack that allows an unauthenticated, remote attacker to read portions of process memory without any user interaction.
Security teams responsible for enterprise Windows environments should treat this as a priority patching task, given the ubiquity of RDP across corporate infrastructure.
CVE-2026-45639 is classified as a Windows Remote Desktop Protocol Information Disclosure Vulnerability assigned by Microsoft as the CNA (CVE Numbering Authority). The vulnerability carries a CVSS 3.1 base score of 7.5 (Important) with a temporal score of 6.5, placing it in the high-severity tier.
At its core, the bug is rooted in CWE-125: Out-of-bounds Read a class of memory safety vulnerability where a program reads data beyond the boundaries of its allocated buffer.
In this specific case, the Windows RDP service fails to properly validate memory boundaries during packet processing, allowing a specially crafted network request to cause the service to read adjacent memory regions and potentially return that sensitive data to an attacker.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N tells a stark story: the attack is network-based, requires low complexity, demands no privileges, requires no user interaction, and delivers high confidentiality impact. This combination makes the vulnerability particularly dangerous in internet-facing or perimeter-exposed RDP environments.
Out-of-bounds read vulnerabilities, such as CWE-125, occur when an application reads an arbitrary amount of data and fails to enforce proper boundary checks on the buffer.
In RDP-specific contexts, crafted protocol data units (PDUs) can be designed to pass a length value that exceeds the actual allocated buffer size. When the RDP service processes the malformed packet, it reads beyond the intended memory region, potentially exposing heap or stack memory contents belonging to other processes or system operations.
According to Microsoft’s official advisory, “an attacker who successfully exploited this vulnerability could potentially read portions of process memory.”
While this is classified as information disclosure rather than remote code execution, the data exposed through process memory leaks can include cryptographic material, session tokens, credentials, or other sensitive runtime data, information that could serve as a stepping stone for further, more destructive attacks.
Critically, Microsoft’s own exploitability assessment rates this as “Exploitation Less Likely,” and no public exploit code or active in-the-wild exploitation has been confirmed at the time of publication. However, the zero-interaction, network-accessible attack surface warrants serious attention from security operations teams.
Affected Windows Products
The vulnerability spans a wide range of Microsoft products patched on June 9, 2026:
| Affected Product | KB Article | Build Number |
|---|---|---|
| Windows 11 Version 26H1 (x64/ARM64) | KB5095051 | 10.0.28000.2269 |
| Windows 11 Version 25H2 (x64/ARM64) | KB5094126 | 10.0.26200.8655 |
| Windows 11 Version 24H2 (x64/ARM64) | KB5094126 | 10.0.26100.8655 |
| Windows 11 Version 23H2 (x64/ARM64) | KB5093998 | 10.0.22631.7219 |
| Windows 10 Version 22H2 (x64/ARM64/32-bit) | KB5094127 | 10.0.19045.7417 |
| Windows 10 Version 21H2 (x64/ARM64/32-bit) | KB5094127 | 10.0.19044.7417 |
| Windows 10 Version 1809 | KB5094123 | 10.0.17763.8880 |
| Windows 10 Version 1607 | KB5094122 | 10.0.14393.9234 |
| Windows Server 2025 | KB5094125 | 10.0.26100.32995 |
| Windows Server 2022 | KB5094128 | 10.0.20348.5256 |
| Windows Server 2019 | KB5094123 | 10.0.17763.8880 |
| Windows Server 2016 | KB5094122 | 10.0.14393.9234 |
| Windows Server 2012 / 2012 R2 | KB5094041/5094042 | 6.x builds |
| Remote Desktop Client for Windows Desktop | Release Notes | 1.2.7214.0 |
| Windows App Client for Windows Desktop | Release Notes | 2.0.1193.0 |
Microsoft credited the discovery of CVE-2026-45639 to pwn2addr and Kyeongmin Kim (@hareh4ru) of the KAIST Hacking Lab (kaist-hacking.github.io), a well-regarded academic security research group at the Korea Advanced Institute of Science and Technology.
The vulnerability was reported through coordinated disclosure, meaning no public exploit was released before the patch a responsible practice that gives defenders a critical window to remediate.
This disclosure came during the same Patch Tuesday cycle where Microsoft addressed over 200 vulnerabilities, including three publicly disclosed zero-days underscoring the scale and significance of the June 2026 update.
Mitigation
Organizations should act immediately by applying the relevant security updates. Specific recommendations include:
- Apply the June 2026 Patch Tuesday updates immediately using Windows Update, WSUS, or Microsoft Endpoint Configuration Manager
- Prioritize internet-facing RDP servers Windows Server 2019, 2022, and 2025 instances exposed directly to the internet carry the highest risk
- Restrict RDP access using firewall rules, VPN gating, or Microsoft’s Remote Desktop Gateway to limit exposure surface
- Enable Network Level Authentication (NLA) on all RDP endpoints to add a pre-authentication layer, making unauthenticated exploitation harder
- Monitor RDP traffic using SIEM/NDR solutions for anomalous connection patterns or malformed PDUs that may indicate exploitation attempts
- Update the Remote Desktop Client for Windows Desktop to build 1.2.7214.0 and Windows App Client to build 2.0.1193.0
Frequently Asked Questions (FAQs)
Q1: What does CVE-2026-45639 allow an attacker to do? An unauthenticated remote attacker can exploit an out-of-bounds read in Windows RDP to disclose portions of process memory, potentially exposing sensitive data like credentials or session tokens.
Q2: Is CVE-2026-45639 being actively exploited in the wild? As of June 9, 2026, Microsoft confirms no public exploit code exists and the vulnerability has not been observed in active exploitation, rating it as “Exploitation Less Likely.”
Q3: Which Windows versions are affected by CVE-2026-45639? The vulnerability affects Windows 10 (versions 1607 through 22H2), Windows 11 (versions 23H2 through 26H1), Windows Server 2012 through 2025, and the Remote Desktop and Windows App clients.
Q4: How can organizations immediately protect against CVE-2026-45639? Apply the June 2026 Patch Tuesday security updates, restrict RDP exposure using firewalls and VPN, enable Network Level Authentication, and monitor for anomalous RDP traffic patterns.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
