A use-of-uninitialized-resource flaw in Windows Remote Desktop Protocol lets an unauthenticated attacker execute code over the network, carrying a critical CVSS 9.8 rating.
What Is It
CVE-2026-56190 is a use-of-uninitialized-resource vulnerability (CWE-908) in Windows RDP. Per Microsoft's advisory, the flaw "allows an unauthorized attacker to execute code over a network." It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning it is network-exploitable, requires low attack complexity, needs no privileges, and requires no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability. The CVE was published on 2026-07-14 and is currently in "Awaiting Analysis" status at NVD.
Why It Matters
The combination of network attack vector, no authentication, no user interaction, and full remote code execution makes this among the most severe class of Windows vulnerabilities. RDP is widely exposed and frequently reachable across internal and, in poorly segmented environments, external networks. Any unpatched, RDP-reachable host is at risk of complete compromise. No active exploitation is confirmed in the supplied source material, and there is no CISA KEV entry provided for this CVE.
What's Vulnerable
Microsoft lists a broad range of affected Windows client and server builds, including:
- Windows 10 versions 1607, 1809, 21H2, and 22H2
- Windows 11 versions 24H2, 25H2, and 26H1
- Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 (including Server Core installations)
Each product is affected below a specific fixed build number. Because Windows 11 24H2 and Windows Server 2025 share the same base build (10.0.26100) and the same monthly servicing, both reach their fix at the same build number; for example, below 10.0.26100.8875.
Patch Status
Microsoft has assigned fixed build numbers for every affected product, indicating updates are available. Administrators should apply the relevant Microsoft update for each Windows version to reach or exceed the listed fixed build. Consult the Microsoft Security Response Center advisory for the exact patch corresponding to your version. Until patched, restricting RDP exposure reduces attack surface.
Sources
- Microsoft Security Response Center; Update Guide, CVE-2026-56190: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56190
- NVD, CVE-2026-56190: https://nvd.nist.gov/vuln/detail/CVE-2026-56190