Microsoft has released security updates for two important vulnerabilities affecting Windows Remote Desktop Protocol, better known as RDP. The flaws, tracked as CVE-2026-42908 and CVE-2026-45639, were addressed as part of Microsoft's June 2026 security updates.

Both vulnerabilities are considered important because they could allow an unauthenticated attacker to remotely access sensitive information from affected systems. While they are not classified as remote code execution flaws, the information they expose could still become useful in more advanced attack chains.

For organisations that rely on RDP for remote administration, server access, or support operations, these fixes should be treated seriously, especially if RDP services are reachable from the internet.

What the Vulnerabilities Are About

The two vulnerabilities affect the Windows RDP stack and are caused by out-of-bounds read conditions.

In simple terms, an out-of-bounds read happens when software reads data outside the memory area it is supposed to access. This may not directly allow an attacker to take control of a system, but it can expose information that should remain protected.

That exposed information may include memory addresses, process data, credentials, session tokens, or other sensitive details, depending on what is stored in the affected memory region at the time.

Both CVE-2026-42908 and CVE-2026-45639 have received a CVSS v3.1 base score of 7.5, placing them in the high-severity range. Microsoft has rated them as Important.

Why RDP Vulnerabilities Matter

Remote Desktop Protocol is widely used by administrators, IT support teams, managed service providers, and organisations that need remote access to Windows systems.

Because RDP is often connected to privileged systems, backend servers, or administrative environments, any vulnerability affecting it deserves close attention.

The concern becomes even greater when RDP is exposed directly to the internet. Attackers regularly scan for open RDP services because they can be useful entry points into an organisation's network.

Even when a vulnerability only exposes information, that information can sometimes help attackers bypass security protections, improve exploit reliability, or prepare a more targeted attack.

CVE-2026-42908: Memory Address Disclosure Risk

The first vulnerability, CVE-2026-42908, may allow an attacker to disclose local memory addresses.

This matters because modern operating systems use protections such as Address Space Layout Randomization, or ASLR, to make exploitation harder. ASLR works by randomising where important code and data are placed in memory, making it more difficult for attackers to predict where to target an exploit.

If a vulnerability leaks memory address information, it can weaken that protection. By learning where certain memory areas are located, an attacker may be able to build a more reliable exploit chain when combined with another vulnerability.

On its own, CVE-2026-42908 may not give an attacker full control of a system. But in a more advanced attack, it could help reduce the effectiveness of exploit mitigations.

CVE-2026-45639: Process Memory Exposure

The second vulnerability, CVE-2026-45639, may allow an attacker to read portions of process memory.

Depending on what is stored in memory, this could expose sensitive information such as credentials, session tokens, protocol state information, or other internal data.

This type of information disclosure can be especially valuable in environments where attackers are trying to move deeper into a network. For example, if session-related data or authentication material is exposed, it could potentially support lateral movement or privilege escalation when combined with other weaknesses.

That is why information disclosure vulnerabilities should not be dismissed as low-risk simply because they do not directly execute code.

No Authentication or User Interaction Required

One of the more concerning aspects of these vulnerabilities is that they can be exploited remotely over the network without authentication.

This means an attacker does not need to log in first. The attacker also does not need to trick a user into clicking a link, opening a file, or taking any action.

That type of exposure is important because pre-authentication network vulnerabilities can be attractive to attackers, especially when they affect services that may be reachable from outside the organisation.

Microsoft currently assesses exploitation as less likely, and there is no evidence of public exploits or active in-the-wild exploitation at the time of release. However, organisations should not rely on that assessment as a reason to delay patching.

Once patches are released, security researchers and attackers often begin analysing them to understand the underlying vulnerability. This can sometimes lead to new proof-of-concept techniques or exploit attempts later.

Affected Windows Versions

The vulnerabilities affect a broad range of Windows platforms, including supported Windows desktop and server releases.

Affected Windows 11 versions include Version 26H1, Version 25H2, Version 24H2, and Version 23H2.

Affected Windows 10 versions include Version 22H2, Version 21H2, Version 1809, and Version 1607.

Affected Windows Server versions include Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012.

The advisory also lists Remote Desktop client for Windows Desktop and Windows App Client for Windows Desktop among the affected remote access clients.

This wide coverage means many enterprise environments may have at least some systems requiring attention.

Internet-Facing RDP Should Be Prioritised

The highest priority should be systems that expose RDP services directly to the internet.

Internet-facing RDP has long been a common target for attackers. Even without these specific vulnerabilities, exposing RDP publicly increases the risk of brute-force attacks, credential stuffing, exploitation attempts, and unauthorised access.

With these newly patched information disclosure flaws, internet-facing systems become even more important to review.

Administrators should identify any public RDP exposure and apply the relevant June 2026 security updates as soon as possible.

Critical backend systems should also be prioritised, especially servers that hold sensitive data, support authentication workflows, or provide access to other internal systems.

Why Multi-Tenant Environments Should Pay Attention

The advisory also highlights potential risk in multi-tenant environments.

In shared infrastructure, one system or service may support multiple users, departments, customers, or workloads. If memory disclosure vulnerabilities can be triggered before authentication, there is a concern that attackers may try to obtain information from shared environments or use leaked data to support further compromise.

This does not mean every multi-tenant environment is immediately exploitable, but it does mean administrators should treat the patching process carefully and avoid unnecessary delay.

Recommended Actions for Administrators

Microsoft has released official patches for the affected products, and applying those updates should be the main remediation step.

Organisations should also review their RDP exposure and hardening controls. Patching is important, but RDP security should not depend on patching alone.

Recommended actions include:

These steps can reduce both the immediate risk from these vulnerabilities and the broader risk associated with remote access services.

Information Disclosure Can Still Support Bigger Attacks

It is easy to underestimate information disclosure vulnerabilities because they do not always produce an obvious impact like malware execution or system crashes.

However, attackers often use smaller vulnerabilities as building blocks. A memory leak can help bypass exploit mitigations. A leaked token can support impersonation. Internal protocol data can help attackers understand how to interact with a service more effectively.

In other words, the real danger may not be what these vulnerabilities do alone, but what they allow when combined with other flaws.

That is why high-severity information disclosure vulnerabilities affecting remote services should still be taken seriously.

Final Thoughts

The June 2026 security updates for Windows RDP address two important vulnerabilities that could expose sensitive data through out-of-bounds read conditions.

CVE-2026-42908 may disclose local memory addresses, potentially weakening exploit mitigations such as ASLR. CVE-2026-45639 may expose portions of process memory, which could include sensitive data depending on system conditions.

Although Microsoft currently considers exploitation less likely and no active exploitation has been reported, the vulnerabilities are remotely reachable before authentication. That makes patching especially important for internet-facing RDP systems and critical servers.

For organisations, the safest approach is clear: apply the June 2026 patches, reduce public RDP exposure, enforce strong access controls, and monitor remote access activity closely.

RDP remains a powerful administrative tool, but when exposed or poorly protected, it can also become a serious security risk.