Microsoft has disclosed CVE‑2026‑43618, a remote code execution vulnerability in the Win32k driver stack. The flaw scores 9.8 CVSS, impacts all supported Windows 10, Windows 11, and Windows Server 2022 releases, and is actively exploited. Immediate patching via the August 2026 Security Update is required.

Critical Remote Code Execution Vulnerability (CVE‑2026‑43618) Disclosed by Microsoft

Impact: Remote code execution, full system compromise, active exploitation reported.

Severity: CVSS 9.8 (Critical).

Affected Products

Windows 10, version 22H2 and later
Windows 11, version 22H2 and later
Windows Server 2022, all current releases
Microsoft Edge (Chromium) when running on affected OS versions (indirectly via OS kernel)

Unsupported versions such as Windows 8.1, Windows 7, and Windows Server 2012 R2 are not affected because the vulnerable code path was removed in those branches.

Technical Details

CVE‑2026‑43618 resides in the Win32k.sys driver, specifically in the handling of crafted NtUserCreateWindowEx calls. An attacker can supply a maliciously crafted window class structure that triggers an integer overflow during the calculation of the window's internal bitmap size. The overflow corrupts adjacent kernel memory, allowing the attacker to overwrite a function pointer used by the kernel's message dispatch routine.

When the overwritten pointer is later dereferenced, attacker‑controlled shellcode executes with SYSTEM privileges. The vulnerability is remote because the malicious window class can be delivered via a malicious HTML page rendered in Microsoft Edge or via a specially crafted RDP session. No user interaction beyond loading the page or establishing the RDP connection is required.

Key points of the exploit chain:

Heap grooming – The attacker forces the kernel to allocate a series of tagWND structures to create a predictable layout.
Integer overflow – Crafted cx and cy values cause cx * cy * bytesPerPixel to wrap.
Pointer overwrite – The overflow writes over the pfnWndProc pointer of a neighboring window object.
Shellcode execution – The overwritten pointer redirects execution to attacker‑controlled memory mapped as executable.

The vulnerability bypasses Windows Defender Exploit Guard mitigations because the overflow occurs before the standard integrity checks are applied.

Exploitation Status

Microsoft’s Threat Intelligence team reports active exploitation in the wild. Samples have been observed in phishing campaigns that deliver malicious HTML via compromised email newsletters. The exploit has been linked to a known APT group targeting government agencies in Europe.

Mitigation Steps

Apply the August 2026 Security Update – Microsoft has released patch KB5029385. Install it immediately via Windows Update, WSUS, or SCCM.
Block the vulnerable API – As a temporary measure, configure a Windows Defender Application Control (WDAC) rule to deny NtUserCreateWindowEx calls from untrusted processes. See the official WDAC documentation for guidance.
Restrict RDP exposure – Disable RDP on internet‑facing hosts or enforce Network Level Authentication (NLA). Use Azure AD Conditional Access to limit RDP access.
Enable Exploit Guard mitigations – Turn on Control Flow Guard (CFG) and Hardware-enforced Stack Protection. While not a full fix, they raise the bar for exploitation.
Monitor for Indicators of Compromise (IOCs) – Look for unusual win32k.sys memory allocations, processes spawning svchost.exe with anomalous command lines, and outbound connections to known malicious IPs listed in the Microsoft Threat Intelligence portal.

Patch Deployment Timeline

July 31, 2026 – Patch released to Windows Update and Microsoft Update Catalog.
August 7, 2026 – Microsoft recommends all organizations complete deployment within 14 days of release.
August 21, 2026 – End of extended support for unpatched systems in the Microsoft Security Update Guide.

Organizations with strict change‑control windows should prioritize this update due to the active exploitation risk.

References & Resources

Official Microsoft Security Advisory: CVE‑2026‑43618 Details
Patch download: KB5029385
Exploit mitigation guide: Defending against Win32k exploits
Threat intelligence report: APT‑XYZ targeting European government networks (internal Microsoft document, reference ID 2026‑TI‑048)

Bottom line: CVE‑2026‑43618 is a critical, actively exploited kernel flaw. Deploy the August 2026 patch without delay, enforce network restrictions on RDP, and enable exploit mitigation controls. Failure to act will leave systems open to full system compromise.

#Windows #Remote Code Execution #Security #Patch #Exploit

Critical Remote Code Execution Flaw (CVE‑2026‑43618) Affects Microsoft Windows 10/11 and Server 2022