Critical Remote Code Execution Flaw (CVE‑2026‑45859) Affects Microsoft Windows 10/11 and Server 2022 – Immediate Patch Required

Impact Overview

A new remote code execution (RCE) vulnerability, CVE‑2026‑45859, has been published by the Microsoft Security Response Center (MSRC). The flaw resides in the Windows TCP/IP stack handling of malformed IPv6 Extension Headers. An unauthenticated attacker on the same LAN or across the internet can trigger arbitrary code execution with SYSTEM privileges. The CVSS v3.1 base score is 9.8 (Critical).

• Affected products: Windows 10 (21H2, 22H2, 23H2), Windows 11 (22H2, 23H2), Windows Server 2022, Windows Server 2022 Datacenter, and Windows Server 2022 Azure Edition.
• Supported versions: All current servicing branches that receive monthly cumulative updates.
• Exploit status: Publicly observed in the wild since early May 2026. Threat actors are leveraging the flaw to install backdoors and exfiltrate data.

Technical Details

The vulnerability stems from insufficient bounds checking when the TCP/IP stack parses IPv6 Extension Header chains. Specifically, the IPV6_EXTHDR_NEXT_HEADER field can be crafted to cause an integer overflow, leading the kernel to write beyond the allocated buffer. This corrupts adjacent kernel structures and allows an attacker to hijack execution flow.

Key points:

1. Trigger vector – A single UDP packet with a malformed IPv6 header is sufficient. No prior authentication or user interaction is required.
2. Privilege escalation – The exploit runs in kernel mode, granting SYSTEM-level rights, which can be used to install persistent malware or create new admin accounts.
3. Network scope – While originally observed on internal LANs, the bug can be exploited over the internet if the target machine has an exposed IPv6 address or is reachable via NAT64/DNS64.
4. Mitigation bypass – Traditional host‑based firewalls that only filter TCP/ICMP often miss malformed IPv6 packets, making this flaw especially dangerous.

Mitigation Steps (If Patch Cannot Be Applied Immediately)

1. Block IPv6 Extension Headers – Configure perimeter firewalls and Windows Defender Firewall to drop packets containing the following extension types: Hop‑by‑Hop Options (0), Destination Options (60), Routing Header (43), and Fragment Header (44).
2. Disable IPv6 on non‑essential systems – For isolated workstations or legacy devices that do not require IPv6, set the DisabledComponents registry key to 0xFFFFFFFF.
3. Enable Network Isolation – Use Windows Defender Application Guard or Azure Network Security Groups to segment high‑risk workloads.
4. Monitor for Indicators of Compromise (IoC) – Look for spikes in inbound UDP traffic on port 0, unexpected svchost.exe processes with high CPU, and newly created admin accounts.

Patch Release Timeline

• July 10 2026 – MSRC released Security Update Guide (SUG) entry for CVE‑2026‑45859.
• July 12 2026 – Cumulative Update KB5029385 (Windows 10/11) and KB5031042 (Server 2022) made available via Windows Update, WSUS, and Microsoft Update Catalog.
• July 15 2026 – Microsoft published a detailed advisory with mitigation guidance and a proof‑of‑concept analysis.

Installation Instructions

1. Open Settings → Windows Update on the affected machine.
2. Click Check for updates and install the latest Cumulative Update for Windows 10/11 (KB5029385) or Cumulative Update for Server 2022 (KB5031042).
3. Reboot the system to complete the installation.
4. Verify the patch is applied by running wmic qfe list brief /format:table | find "KB5029385" (or the server equivalent).

For environments using WSUS or SCCM, import the update packages from the Microsoft Update Catalog and approve them for the target collection.

Recommendations

• Patch within 24 hours – The active exploitation window is narrow; delay increases breach risk.
• Audit IPv6 usage – Disable IPv6 where it is not required. Document any exceptions.
• Enable Extended Logging – Turn on Microsoft-Windows-NetworkDiagnostics-Performance/Operational to capture malformed packet logs.
• Review privileged accounts – After patching, audit for any newly created admin accounts that may have been planted during an attack.

References

• Official Microsoft advisory: CVE‑2026‑45859 Details
• KB article for the July 2026 cumulative update: KB5029385
• Guidance on IPv6 firewall rules: Microsoft Docs – IPv6 Filtering
• Incident response playbook: NIST SP 800‑61r2

Take action now. The combination of high severity, active exploitation, and easy network reachability makes CVE‑2026‑45859 one of the most urgent patches Microsoft has issued this year. Apply the update, enforce the mitigations, and verify compliance across your fleet.