CVE-2026-54990 - Remote Desktop Client Remote Code Execution Vulnerability - is a heap-based buffer overflow in the Remote Desktop client that can lead to remote code execution. Microsoft rates it Critical with a CVSS v3.1 base score of 9.8 and temporal score of 8.5. The vector is network-based, low complexity, requires no privileges, but does require user interaction to connect to a malicious RDP server. Microsoft reports no public disclosure and no exploitation, with exploit code maturity unproven. This is relevant for enterprises that use RDP clients to connect to untrusted or externally controlled servers, though the required user interaction lowers risk compared with fully unauthenticated, no-interaction network attacks. Highlights: - CVSS scores: Base 9.8 - Temporal 8.5 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; network vector, LOW attack complexity, NO privileges required, but USER INTERACTION is required. - Severity for enterprise: Critical technical severity. Enterprise risk is highest where users may be induced to connect to malicious RDP servers; the user-interaction requirement reduces exposure versus no-interaction network vulnerabilities. - Patch status: available Affected systems: - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025