Microsoft patched a critical information disclosure bug in Windows Remote Desktop Services as part of its June 2026 security updates. CVE-2026-42908, an out-of-bounds read vulnerability, allows an unauthenticated attacker to siphon off sensitive data from an affected system simply by connecting over RDP.

This flaw arrived on the heels of several high-profile RDP exploits and underscores the enduring risk of leaving the protocol exposed to the internet. Security teams should treat this update with urgency—a remote, unauthenticated information leak is a potent ingredient for privilege escalation or lateral movement.

What is CVE-2026-42908?

The vulnerability resides in the core Remote Desktop Protocol implementation on Windows. An out-of-bounds (OOB) read occurs when the RDP service references memory beyond the intended buffer while processing a crafted client request. No authentication handshake is required; the attack can be launched as soon as a socket connection is established.

Microsoft’s advisory describes the issue bluntly: a network-based, low-complexity attack that can disclose sensitive memory contents to an unauthenticated party. The CVSS score and vector were not provided in the initial bulletin, but historical OOB reads in RDP have scored between 5.3 and 7.5, reflecting the impact of leaked stack or heap data.

The Out-of-Bounds Read Explained

Out-of-bounds reads are a classic class of memory safety bugs. When the RDP service allocates a buffer for incoming data but fails to validate the input length, it may read past the buffer’s limit, returning whatever bytes happen to sit in memory at that moment. Those bytes could be protocol state, session keys, credential fragments, or even pointers that defeat ASLR.

In the context of RDP, the bug likely occurs in the terminal server’s initial connection negotiation phase. An attacker could send a malformed packet—for example, a Client Info PDU with an overly long field—that tricks the parser into reading adjacent heap chunks. The data is then reflected back in an error response or a subsequent packet, coughing up secrets.

This is not the first OOB read in RDP. CVE-2019-1225, CVE-2020-0609, and CVE-2022-21974 each involved similar parser flaws. The recurrence points to a protocol surface that is large, old, and notoriously hard to audit.

Attack Vector and Pre-Auth Exploitation

The most alarming aspect of CVE-2026-42908 is the lack of an authentication barrier. An attacker needs only network reach to TCP port 3389 (the default RDP port) and the ability to send a few hundred bytes. No credentials, no user interaction, no prior foothold.

A single malformed connection can leak arbitrary memory contents. In a controlled attack, the adversary would spray memory with known patterns, trigger the read, and analyze the returned garbage to extract useful data. This could be done in a single session, making detection by IDS/IPS signatures difficult.

RDP gateways and RD Web Access servers are also potential vectors if they forward the raw RDP stream. In environments where RDP is exposed to the internet—a shockingly common practice for small businesses—the vulnerability is immediately exploitable by commodity scanners.

What Data is at Risk?

Information disclosure is often downplayed as “less severe” than remote code execution, but in the context of RDP it can be devastating. Leaked memory might contain:

  • Session encryption keys – Compromise a current or past session’s RC4/AES key, and the attacker can decrypt captured traffic.
  • Credential material – Plaintext passwords, NTLM hashes, or Kerberos ticket fragments that allow credential theft.
  • ASLR bypasses – Memory addresses that neuter address space layout randomization, turning a future memory corruption bug into a reliable exploit.
  • Configuration data – Server certificates, domain names, or internal IP addresses for lateral movement.

Even a single leaked NTLM hash can be cracked or relayed to another machine, granting the attacker domain-joined access. For remote workers relying on RDP, the risk extends to every machine they connect to.

Affected Windows Versions

Microsoft did not list specific editions in the brief advisory excerpt, but RDP is a core component shipped in every supported Windows SKU. Historical precedent suggests that CVE-2026-42908 touches at least:

  • Windows 10 (all versions, 1607 through 22H2)
  • Windows 11 (21H2 through 24H2)
  • Windows Server 2016, 2019, 2022, and 2025
  • Windows Server (Semi-Annual Channel) installations

The vulnerability is platform-agnostic; both x64 and ARM64 builds are equally targeted. Even systems with Network Level Authentication (NLA) enabled may not be fully shielded if the bug resides in a pre-auth handler that runs before NLA negotiation.

Mitigations and Workarounds

As of the June 9 disclosure, Microsoft offered no practical workarounds. The advisory did not list any registry keys or configuration changes that close the attack surface. The sole effective mitigation is to block untrusted access to port 3389 entirely—via firewall rules, VPN-only access, or RDP gateways with strict authentication.

Enabling Network Level Authentication remains a best practice, but it is not a panacea. An OOB read that fires before credential validation bypasses NLA’s protection. Consequently, patching is the only reliable fix.

Organizations that cannot patch immediately should:
1. Place all RDP servers behind a VPN or Zero Trust Network Access (ZTNA) solution.
2. Restrict RDP access to known internal IP ranges via Windows Firewall.
3. Disable Smart Card and legacy RDP authentication methods that may increase memory complexity.
4. Monitor Event IDs 4625 (failed logon) and 4624 (successful logon) for anomalous connection attempts originating from the internet.

How to Apply the June 2026 Patch

The fix arrived via the standard cumulative update package for each Windows version. Administrators can obtain it from:

  • Windows Update – The security update is listed as “2026-06 Cumulative Update for Windows [version].”
  • Microsoft Update Catalog – Standalone .msu files for offline deployment.
  • Windows Server Update Services (WSUS) – Already synchronized as part of the June 2026 release.
  • Azure Update Manager – For virtual machines hosted in Azure.

Patch deployment must be a top priority. The lightweight nature of the exploit means exploit code will surface quickly—if it hasn’t already. Automated scanning tools like Shodan and Censys can identify exposed RDP endpoints in minutes.

The Bigger Picture: RDP Attack Surface

CVE-2026-42908 is not an isolated incident. Remote Desktop Services has been a perennial target for attackers since the BlueKeep vulnerability (CVE-2019-0708) reminded the world that pre-auth RDP bugs can be wormable. Subsequent years brought DejaBlue, CVE-2020-0610, and numerous other flaws.

Microsoft’s own Digital Defense Report repeatedly flags RDP as the top vector for ransomware initial access. The protocol’s complexity—layers of graphics rendering, channel management, and encryption negotiation—creates a sprawling attack surface that is virtually impossible to secure without code-level hardening.

Each Patch Tuesday underscores the tension between convenience and security. Organizations that rely on RDP for remote work or server administration must invest in compensating controls: jump servers, multi-factor authentication, and network segmentation. A single unpatched machine is a toehold that can unravel an entire domain.

Final Recommendations

Apply the June 2026 update to every Windows machine with RDP enabled, prioritizing internet-facing servers and accessible endpoints. Audit firewall rules to verify that port 3389 is not inadvertently open to the public. For broader protection, implement an RDP gateway with Azure AD Application Proxy or a similar broker that authenticates users before exposing the endpoint.

Information disclosure bugs often precede escalation attacks. Don’t wait for proof-of-concept code to drop. Patch now, verify the deployment, and reinforce RDP access controls.

Microsoft will likely release a more detailed analysis in the coming days, including CWE and CVSS numbers. Until then, treat CVE-2026-42908 as a high-severity threat and act accordingly.