#Vulnerabilities

Critical RCE in Windows Update Exploited – Immediate Action Required

Vulnerabilities Reporter
2 min read

Microsoft has disclosed a severe remote code execution flaw in Windows Update (CVE‑2026‑42945) affecting all Windows 10 and 11 builds. The vulnerability allows attackers to run arbitrary code with SYSTEM privileges. Users must apply the latest cumulative update and enable automatic updates. Failure to patch exposes corporate networks to data exfiltration and lateral movement.

Critical RCE in Windows Update – CVE‑2026‑42945

Impact

A single unauthenticated network request to the Windows Update service can trigger arbitrary code execution with SYSTEM privileges. Attackers can install malware, steal credentials, or pivot to other hosts.

Technical Details

The flaw resides in the Windows Update Agent (WUA) component that parses the XML manifest of update packages. A malformed XML element containing an excessively long attribute value bypasses the internal buffer length check. When the update manager attempts to load the corrupted XML, it writes beyond the allocated memory, corrupting the stack. An attacker can then redirect execution to a payload supplied in the same request.

The vulnerability is exploitable over the network via the wuauclt.exe service listening on port 8530. It does not require user interaction; a crafted HTTP request suffices.

Affected Versions

  • Windows 10, version 21H2 and later
  • Windows 11, version 22H2 and later
  • Windows Server 2019, 2022
  • All editions that ship with the default Windows Update Agent

CVSS

  • Base Score: 9.8 (Critical)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None

Mitigation Steps

  1. Apply the latest cumulative update. Microsoft released Update KB5029876 on 2026‑05‑10. Download from the Microsoft Update Catalog.
  2. Enable automatic updates. Ensure the Windows Update service is set to Automatic (recommended).
  3. Restrict network access to the Windows Update Agent. Block inbound traffic on port 8530 from untrusted networks.
  4. Deploy endpoint protection that detects anomalous XML parsing activity.
  5. Verify integrity of installed updates with the Windows Update History tool.

Timeline

  • 2026‑04‑15: Microsoft Security Response Center (MSRC) identifies the flaw during internal testing.
  • 2026‑04‑25: CVE‑2026‑42945 is assigned and published on the CVE database.
  • 2026‑05‑01: Public advisory issued; affected systems warned.
  • 2026‑05‑10: Cumulative update KB5029876 released.
  • 2026‑05‑15: Advisory updated with mitigation guidance.

What to Do Now

  • Download and install KB5029876 immediately.
  • Restart the Windows Update service to apply the patch.
  • Audit your network for unauthorized traffic to port 8530.
  • Monitor logs for any failed XML parsing attempts.

Resources

Act now. The flaw is already in the wild. Patching is the only effective defense.

#Windows#Remote Code Execution#CVE-2026-42945#Patch Management#Security

Comments

Loading comments...
Back to Home