Microsoft’s July 2026 Patch Tuesday brought a fix for a vulnerability in Windows Remote Desktop Protocol (RDP) that could quietly expose sensitive data from a system’s memory. The flaw, tracked as CVE-2026-50445, scored a 6.5 on the CVSS scale—important but not critical—yet its network-reachable nature across all recent Windows versions makes it a priority for anyone running RDP, especially on internet-facing machines.

What the Vulnerability Actually Does

CVE-2026-50445 is a buffer over-read error in the Windows RDP implementation. When an attacker sends specially crafted packets, the system reads past the intended memory boundary and returns data that should never have been accessible. That data could include fragments of other operations—passwords, session tokens, or internal network details—though Microsoft hasn’t publicly detailed the exact type of information at risk. The result is a pure information disclosure: confidentiality is severely impacted, but integrity and availability are not. No code execution or privilege escalation is possible through this bug alone.

Crucially, exploiting it requires no prior account or privileges (the attacker need not be authenticated on the network), but some form of user interaction is necessary. Microsoft’s advisory does not specify what that interaction is, but it likely involves an RDP client connecting to a malicious server or a user clicking something in a session. Until a proof-of-concept emerges, defenders should assume that any RDP-enabled Windows machine is a potential target if an attacker can lure a user into a specific action.

Which Systems Are Affected? (And Which Are Safe)

The vulnerability spans a wide swath of supported Windows editions. Affected client releases include:

  • Windows 10 versions 1607, 1809, 21H2, and 22H2
  • Windows 11 versions 24H2, 25H2, and 26H1

Server platforms are also in the mix, from Windows Server 2012 through Windows Server 2025—including Server Core installations. This breadth suggests a shared code defect rather than a recent regression.

If your Windows version isn’t listed, it’s either out of support (like Windows 7) and not receiving patches, or simply not affected. Microsoft details fixed build thresholds for the July 2026 cumulative update:

Windows Release Fixed Build
Windows 10 1607 / Server 2016 14393.9339
Windows 10 1809 / Server 2019 17763.9020
Windows 10 21H2 19044.7548
Windows 10 22H2 19045.7548
Windows 11 24H2 / Server 2025 26100.8875
Windows 11 25H2 26200.8875
Windows 11 26H1 28000.2269 or later

Organizations may need to check their deployment rings manually—paused updates, disconnected servicing, or pending restarts can leave systems below these thresholds.

For Home Users: Update Windows Now

The simplest defense is to install the July 2026 cumulative update via Windows Update. Here’s how:

  1. Open Settings > Windows Update.
  2. Click “Check for updates.”
  3. Install any pending updates, then restart when prompted.
  4. Verify your build number by typing winver in the Start menu—it should match or exceed the fixed build for your version.

Even if you never intentionally expose your PC to a public network, other devices on your home Wi-Fi could compromise you. A router already under an attacker’s control could redirect local traffic, making an internal RDP-capable device a target. Patching removes the vulnerable code entirely, closing that door.

For IT and System Administrators: A Risk-Based Approach

The 6.5 CVSS score and Microsoft’s “Exploitation Less Likely” rating might tempt some teams to delay this update. Resist that impulse. Information-disclosure flaws in RDP act as force multipliers, giving attackers the reconnaissance data they need to escalate an intrusion.

Prioritize these systems for immediate patching:

  • Internet-facing Remote Desktop Session Hosts
  • Administrative jump servers and management workstations
  • Domain controllers with RDP enabled
  • Virtual desktop infrastructure (VDI) hosts
  • Any server reachable from guest or contractor networks

While the update rolls out through WSUS or other channels, enforce these hardening steps:

  • Block TCP/UDP 3389 at the perimeter unless absolutely required by operations.
  • Move RDP behind a VPN, Remote Desktop Gateway, or zero-trust proxy.
  • Restrict RDP sources to approved management subnets via Windows Defender Firewall rules.
  • Enable Network Level Authentication (NLA). Microsoft has not confirmed NLA blocks this flaw, but it reduces general RDP exposure.
  • Disable Remote Desktop Services on systems where they aren’t needed—even “occasional” administrative convenience creates risk.
  • Monitor for unexpected RDP connection prompts in Event Viewer and endpoint detection logs.

Remember: these network controls are temporary shields. Only the cumulative update removes the root cause. After deploying patches, rescan RDP-capable assets with your vulnerability management tool to confirm fixed builds are in place. Pay special attention to legacy servers on Extended Security Updates (ESU), which sometimes fall outside standard deployment workflows.

How We Got Here: RDP’s Long History as a Target

Remote Desktop Protocol has been a favorite target for attackers for over two decades. Wormable bugs like BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181/1182) made headlines, but quieter information-disclosure flaws have also appeared regularly. In 2020, CVE-2020-0609 allowed unauthenticated attackers to send crafted RDP requests and read memory from vulnerable Windows servers. That pattern repeats here.

This isn’t a panic-inducing zero-day. Microsoft reports no active exploitation and no public disclosure before the patch was released. But “less likely” exploitation doesn’t mean impossible—particularly after reverse-engineers inspect the July update and publish a proof-of-concept. The patch itself often teaches attackers where to aim, making the post-patch window crucial.

What to Do Right Now: An Actionable Checklist

  1. Apply the July 2026 security update on every Windows machine that has RDP enabled, using your standard deployment tools.
  2. Disable RDP where unused. Navigate to System Properties > Remote Desktop and uncheck “Allow remote connections to this computer.”
  3. Verify build numbers post-reboot; spot-check a few machines in each deployment ring.
  4. Audit perimeter rules for port 3389 and move remote access behind more secure entry points.
  5. Advise users to be wary of unexpected RDP connection prompts, especially from unfamiliar servers.

Looking Ahead

Within weeks, expect the National Vulnerability Database to publish its own CVSS enrichment and a more detailed technical analysis. Security researchers may also demonstrate exploitability, clarifying the user interaction needed. If leaked memory proves to contain highly sensitive secrets, the severity assessment could rise in operational significance, even if the official score stays the same. For now, a quick Windows Update run keeps your data where it belongs—under your control.