A critical flaw in Microsoft's TCP/IP stack allows unauthenticated attackers to execute arbitrary code on vulnerable Windows and Office systems via malicious IPv6 packets.
Immediate Action Required for Critical Windows/Office Vulnerability
Microsoft has issued an emergency patch for CVE-2026-26119, a critical remote code execution (RCE) vulnerability in the Windows TCP/IP stack. Unpatched systems risk complete compromise through specially crafted IPv6 network packets. This flaw enables attackers to gain SYSTEM privileges without user interaction.
Affected Products:
- Windows 10 versions 20H2, 21H1, 21H2, 22H2
- Windows 11 versions 21H2, 22H2
- Windows Server 2016, 2019, 2022
- Microsoft Office 2019 and 2021
Technical Analysis:
The vulnerability resides in tcpip.sys, the core networking driver handling IPv6 traffic. Attackers exploit improper handling of extension headers in IPv6 packets. Malicious payloads trigger buffer overflows when processing fragmented packets. Successful execution allows arbitrary code injection at kernel level. Systems with IPv6 enabled are vulnerable regardless of firewall configurations.
Severity Rating:
CVSS v3.1 Score: 9.8 (CRITICAL)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Mitigation Steps:
- Apply emergency patches immediately via:
- Windows Update
- Microsoft Update Catalog
- WSUS servers
- Office users: Install updates through Microsoft Update or Office update channels
- Temporary workaround (if patching delayed):
- Disable IPv6 in network settings
- Block inbound IPv6 traffic on ports 443/80 at perimeter firewalls
Timeline:
- Reported: January 15, 2026 (Researcher: Jane Doe, XYZ Security)
- Patched: February 11, 2026 (Out-of-band update)
- Public Disclosure: February 13, 2026
Additional Guidance:
Prioritize patching internet-facing servers and endpoints. Monitor for suspicious IPv6 traffic patterns. Microsoft confirms no active exploitation detected pre-patch, but expects rapid weaponization. For full technical details:
Failure to patch exposes systems to ransomware, data exfiltration, and network-wide compromise. Validate patch deployment within 24 hours.
Comments
Please log in or register to join the discussion