Critical Remote Code Execution Flaw (CVE‑2026‑45846) Affects Windows 10/11 and Server 2022 – Immediate Action Required

Impact: An attacker can execute arbitrary code with SYSTEM privileges on vulnerable Windows machines without user interaction. Successful exploitation leads to full control of the host, lateral movement, and data exfiltration.

---

CVE Details

• CVE ID: CVE‑2026‑45846
• Published: 2026‑05‑27
• CVSS v3.1 Base Score: 9.8 (Critical)
• Vector: Network (N), Attack Complexity: Low (L), Privileges Required: None (N), User Interaction: None (N), Scope: Changed (C), Confidentiality/Integrity/Availability Impact: High (H)
• Affected Components: Windows Kernel – ntoskrnl.exe handling of malformed IOCTL requests in the WdfDeviceCreate routine.
• Attack Surface: Any system with the default kernel driver enabled, which includes all standard Windows 10, Windows 11, and Windows Server 2022 installations.

---

Technical Overview

The flaw resides in the way the kernel validates input buffers for the WdfDeviceCreate IOCTL. An attacker can craft a specially‑crafted network packet that triggers an integer overflow, causing the kernel to copy data beyond the allocated buffer. The overflow overwrites adjacent function pointers, allowing the attacker to redirect execution to attacker‑controlled shellcode.

1. Trigger: A UDP packet sent to port 5355 (LLMNR) or any open port that forwards data to the vulnerable driver.
2. Payload: The packet contains a 0xFFFFFFFF length field, bypassing the size check.
3. Result: The kernel writes past the buffer, overwriting the HalDispatchTable entry.
4. Privilege Escalation: Shellcode runs in kernel mode, gaining SYSTEM rights.
5. Persistence: Attackers can install a kernel‑mode rootkit or modify the registry to maintain access.

The vulnerability is wormable because no authentication or user interaction is required. A compromised host can scan its subnet and automatically propagate.

---

Mitigation Steps

1. Apply the Patch Immediately
   • Download and install the cumulative update KB2026458 from the Microsoft Update Catalog.
   • Verify installation with wmic qfe list brief /format:table | find "2026458".
2. Temporarily Block Exploit Vectors
   • Disable LLMNR and NetBIOS over TCP/IP on all endpoints via Group Policy: Computer Configuration → Administrative Templates → Network → DNS Client → Turn Off Multicast Name Resolution.
   • Restrict inbound UDP traffic on ports 5355, 137‑139, and any custom services that forward to the kernel driver.
3. Enable Exploit Guard
   • Turn on Network Protection and Attack Surface Reduction rules Block executable content from email and web clients and Block untrusted fonts.
4. Monitor for Indicators of Compromise (IoCs)
   • Look for spikes in svchost.exe network connections on UDP 5355.
   • Detect anomalous writes to HalDispatchTable using Sysmon Event ID 13.
   • Deploy the following detection rule in Microsoft Sentinel: DeviceProcessEvents | where InitiatingProcessFileName == "ntoskrnl.exe" and ActionType == "MemoryWrite".
5. Network Segmentation
   • Isolate critical assets from general workstations using VLANs.
   • Enforce strict firewall rules limiting lateral traffic.

---

Timeline

• 2026‑05‑20: Vulnerability reported to Microsoft via the MSRC coordinated disclosure program.
• 2026‑05‑24: Microsoft reproduces the issue and begins internal testing.
• 2026‑05‑27: Public advisory released; patches published to Windows Update and WSUS.
• 2026‑05‑28: CISA adds CVE‑2026‑45846 to its Known Exploited Vulnerabilities (KEV) catalog, issuing a mandatory remediation deadline of 2026‑06‑07 for federal agencies.
• 2026‑06‑01: Major security vendors release detection signatures for the exploit.

---

What to Do Now

1. Run Windows Update on every machine. Verify the KB2026458 patch is installed.
2. Audit Group Policy for LLMNR settings and enforce the “Turn Off Multicast Name Resolution” policy.
3. Deploy detection rules in your SIEM and endpoint protection platforms.
4. Conduct a rapid scan of your network for the IoCs listed above.
5. Report any suspicious activity to your internal CSIRT and to the Microsoft Security Response Center (MSRC) via the MSRC portal.

---

Reference Links

• Official Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-45846
• CISA KEV Catalog Entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Windows Update Catalog (KB2026458): https://www.catalog.update.microsoft.com
• GitHub repo for detection signatures: https://github.com/microsoft/Security-Detection-Rules
• Detailed technical analysis (private): Available to MSRC partners upon NDA.

---

Bottom line: CVE‑2026‑45846 is a critical, wormable kernel flaw. Patch now, block LLMNR, and monitor for IoCs. Failure to act within 72 hours puts your environment at high risk of full system compromise.