Microsoft has released emergency security updates for a critical vulnerability affecting multiple products. Exploitation could allow attackers to take complete control of affected systems.
Microsoft has issued emergency security updates for a critical remote code execution vulnerability affecting multiple products. The vulnerability, tracked as CVE-2026-43490, carries a CVSS score of 9.8 and is actively exploited in the wild.
Attackers can exploit this vulnerability without authentication. Successful exploitation could allow an attacker to execute arbitrary code with system privileges. This poses a significant threat to enterprise environments and critical infrastructure.
Affected Products
- Windows 10 (versions 1903, 1909, 2004, 20H2, 21H1, 21H2)
- Windows 11 (all versions)
- Windows Server 2019, 2022
- Windows Server, version 20H2, 21H1, 21H2
- Microsoft Edge (Stable, Beta, Dev channels)
- .NET Framework 3.5, 4.8
Technical Details
The vulnerability exists in the way Microsoft Windows handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights could be less impacted than users who operate with administrative user rights.
The vulnerability was discovered by security researchers at Zero Day Initiative in December 2025. Microsoft became aware of the vulnerability on January 10, 2026, when proof-of-concept code appeared on underground forums.
Mitigation
Microsoft has released security updates to address this vulnerability. Organizations should apply these updates immediately:
- Install the latest security updates from the Microsoft Security Response Center
- For systems unable to install updates immediately, implement the following workarounds:
- Disable the affected Windows components via PowerShell
- Configure Windows Defender Application Control to block the vulnerable components
- Deploy network-level rules to block access to vulnerable ports
Timeline
- December 15, 2025: Vulnerability discovered by Zero Day Initiative
- January 10, 2026: Public disclosure of proof-of-concept exploit
- January 11, 2026: Microsoft releases security updates
- January 25, 2026: Next scheduled Patch Tuesday
Organizations should prioritize patching systems exposed to the internet. For detailed technical guidance, consult Microsoft Security Advisory ADV260011.
Additional resources:
Comments
Please log in or register to join the discussion