A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker creates multiple RDP sessions that fail to properly free objects in memory. Note that the denial of service would not allow an attacker to execute code or to elevate their user rights. However, it could prevent legitimate users from logging on through remote desktop. An unauthenticated attacker could use this vulnerability to exhaust the system memory by creating multiple RDP sessions. An attacker who successfully exploited the vulnerability could cause the target system to stop responding. The update addresses the vulnerability by correcting how RDP manages objects in memory.