Microsoft confirms critical remote code execution flaw in Windows IPv6 handling. Unauthenticated attackers can compromise systems via malicious network packets.
A critical security vulnerability in Microsoft Windows allows remote code execution without authentication. Designated CVE-2026-2650, this flaw affects all supported Windows versions. Attackers can exploit it by sending specially crafted IPv6 packets to vulnerable systems. Successful compromise grants full system control.
Affected products include Windows 10 versions 21H2-23H2, Windows 11 versions 22H2-24H2, and Windows Server 2016-2025. The vulnerability resides in the Windows TCP/IP stack's IPv6 fragmentation handling. Improper memory operations enable buffer overflow when processing packet headers. Microsoft assigned a CVSS v3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Apply Microsoft's security updates immediately. Patches were released on April 9, 2026 through standard channels. For systems requiring delayed patching, disable IPv6 via network settings or Group Policy. Enterprise administrators should block inbound IPv6 fragmentation packets at perimeter firewalls. Microsoft confirms no functional workarounds exist beyond these mitigations.
The vulnerability was privately reported through Microsoft's Security TechCenter on February 15, 2026. Public disclosure occurred on April 9, 2026 alongside patch availability. Security teams should prioritize patching internet-facing Windows systems within 24 hours.
References:
Comments
Please log in or register to join the discussion