CVE-2026-32157

High

Published: 14 April 2026

Published

14 April 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws, directly addressing the use-after-free vulnerability in Remote Desktop Client through patching as advised by MSRC.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent successful exploitation of use-after-free vulnerabilities leading to remote code execution.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection tools to scan for and block exploit payloads or anomalous behavior from RCE triggered by the crafted RDP file.

Security SummaryAI

CVE-2026-32157 is a use-after-free vulnerability (CWE-416) affecting the Remote Desktop Client. Published on 2026-04-14, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An unauthorized attacker with network access can exploit this vulnerability by tricking a user into interacting with a malicious Remote Desktop connection, such as opening a crafted RDP file. Successful exploitation allows remote code execution on the target system, compromising confidentiality, integrity, and availability with high impact.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157 provides details on patches and mitigation guidance for affected Remote Desktop Client versions.

Details

CWE(s): CWE-416

Affected Products

microsoft

remote desktop client

≤ 2.0.1070.0

microsoft

windows 10 1607

≤ 10.0.14393.9060 · ≤ 10.0.14393.9060

microsoft

windows 10 1809

≤ 10.0.17763.8644 · ≤ 10.0.17763.8644

microsoft

windows 10 21h2

≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184

microsoft

windows 10 22h2

≤ 10.0.19045.7184 · ≤ 10.0.19045.7184

microsoft

windows 11 23h2

≤ 10.0.22631.6936 · ≤ 10.0.22631.6936

microsoft

windows 11 24h2

≤ 10.0.26100.8246 · ≤ 10.0.26100.8246

microsoft

windows 11 25h2

≤ 10.0.26200.8246 · ≤ 10.0.26200.8246

microsoft

windows 11 26h1

≤ 10.0.28000.1836 · ≤ 10.0.28000.1836

microsoft

windows server 2012

all versions, r2

+5 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability in Remote Desktop Client enables remote code execution by tricking users into opening crafted RDP files or connecting to malicious RDP servers, directly facilitating T1203: Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157
Vendor Advisory · secure@microsoft.com