CVE-2026-47654: Remote Desktop Client Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. How could an attacker exploit this vulnerability? In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

Affected Products (8)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2025
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

Security Updates (4)

• 5094123
• 5094128
• 5094125
• 5094122

Acknowledgments

ʌ!ɔ⊥ojv

Revision History

• 2026-06-09: Information published.