A heap-based buffer overflow in the Microsoft Remote Desktop Client lets an unauthenticated attacker execute code over the network, carrying a critical CVSS 9.8 rating.
What Is It
CVE-2026-54990 is a heap-based buffer overflow (CWE-122) in the Remote Desktop Client. According to Microsoft's advisory, the flaw allows an unauthorized attacker to execute code over a network. It was published on July 14, 2026, and is currently listed by NVD as "Awaiting Analysis."
Why It Matters
The vulnerability holds a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In plain terms: it is exploitable over the network, requires low attack complexity, needs no privileges, and requires no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability; the full triad. The combination of no authentication, no user interaction, and complete system compromise makes this a top-priority patching target.
What's Vulnerable
Per Microsoft's affected-products data, the following are impacted:
- Windows 11 Version 24H2 (ARM64 and x64), before build 10.0.26100.8875
- Windows 11 Version 25H2 (ARM64 and x64), before build 10.0.26200.8875
- Windows 11 Version 26H1 (ARM64 and x64), before build 10.0.28000.2269
- Windows Server 2025 (x64), including Server Core; before build 10.0.26100.8875
Patch Status
Microsoft has assigned fixed build numbers for each affected product (listed above), indicating updates are available via the MSRC update guide. Administrators should update affected systems to at or above the specified build for their version. This CVE does not appear in the supplied CISA KEV data, so there is no confirmed active exploitation on record at this time.