The Silent RDP Threat: Why Patching Info Disclosure Bugs Actually Matters

Windows RDP Vulnerabilities

4 min. read

If you scan through the massive list of fixes in Microsoft's June 2026 Patch Tuesday release, you might be tempted to skip over CVE-2026-42908 and CVE-2026-45639. Microsoft labeled both of these Remote Desktop Protocol vulnerabilities as "Important" rather than "Critical" because they only cause information disclosure. There is no immediate remote code execution, and they do not hand an attacker a SYSTEM shell on a silver platter. However, ignoring these two bugs would be a massive mistake for anyone managing internet-exposed infrastructure.

Both vulnerabilities stem from an out-of-bounds read condition inside the Windows RDP stack. This means the service can be tricked into reading data past the boundaries of its allocated memory buffer and sending that data back to the attacker.

What makes these flaws dangerous is the attack vector. An unauthenticated hacker can trigger this memory leak remotely over the network without any user interaction whatsoever. They do not need a stolen password. They do not need an employee to click a malicious link. They just need to find an exposed RDP port and send specially crafted traffic.

When an attacker successfully exploits CVE-2026-42908, the system reveals local memory addresses. This effectively breaks Address Space Layout Randomization (ASLR), which is a foundational security mitigation built into modern Windows operating systems. By mapping out exactly where specific processes live in memory, threat actors can weaponize other, less reliable exploits that would normally just crash the system.

CVE-2026-45639 takes things a step further. An attacker exploiting this bug can read actual portions of process memory. Depending on what happens to reside in that specific memory region at the time of the attack, the vulnerability could leak active session tokens or administrative credentials.

Information disclosure bugs in RDP are rarely the end goal for a threat actor. They act as reconnaissance tools. Hackers use these exact types of memory leaks to build reliable exploit chains that eventually lead to full remote code execution or sandbox escapes. In a multi-tenant environment or a shared hosting infrastructure, an attacker could theoretically use this out-of-bounds read to peek across tenant boundaries and steal adjacent data.

Microsoft released official patches for both CVEs across a massive range of operating systems, stretching from Windows 10 and Server 2012 all the way to Windows 11 and Server 2025.

You should prioritize patching any backend servers or infrastructure that exposes RDP to the public internet immediately. More importantly, this is a perfect reminder that RDP should never face the open web in the first place. You need to restrict remote access behind a VPN or a dedicated bastion host. You must also enforce strict multifactor authentication and start treating "information disclosure" with the respect it deserves.

If you want to see more guides, automation scripts, and technical deep dives just like this, make sure to follow us on Twitter, check out the Facebook page, and sign up for the weekly 404 & More newsletter!