SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-54990 2026-07-14

CVE-2026-54990: Critical Remote Code Execution in Windows Remote Desktop Client

"A heap-based buffer overflow in the Microsoft Remote Desktop Client lets an unauthenticated attacker execute code over the network, carrying a critical CVSS 9.8 rating."

A heap-based buffer overflow in the Microsoft Remote Desktop Client lets an unauthenticated attacker execute code over the network, carrying a critical CVSS 9.8 rating.

What Is It

CVE-2026-54990 is a heap-based buffer overflow (CWE-122) in the Remote Desktop Client. According to Microsoft's advisory, the flaw allows an unauthorized attacker to execute code over a network. It was published on July 14, 2026, and is currently listed by NVD as "Awaiting Analysis."

Why It Matters

The vulnerability holds a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In plain terms: it is exploitable over the network, requires low attack complexity, needs no privileges, and requires no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability; the full triad. The combination of no authentication, no user interaction, and complete system compromise makes this a top-priority patching target.

What's Vulnerable

Per Microsoft's affected-products data, the following are impacted:

Patch Status

Microsoft has assigned fixed build numbers for each affected product (listed above), indicating updates are available via the MSRC update guide. Administrators should update affected systems to at or above the specified build for their version. This CVE does not appear in the supplied CISA KEV data, so there is no confirmed active exploitation on record at this time.

Sources