#Vulnerabilities

Critical Remote Code Execution Flaw (CVE‑2026‑45892) Affects Microsoft Windows 11 and Server 2022

Vulnerabilities Reporter
3 min read

A new CVE‑2026‑45892 vulnerability in the Windows Kernel allows unauthenticated attackers to execute arbitrary code. Microsoft rates it CVSS 9.8. Patch released 2026‑05‑23. Immediate deployment required.

Critical Remote Code Execution Flaw (CVE‑2026‑45892) Impacts Windows 11 and Server 2022

Impact: An unauthenticated attacker can gain system‑level code execution on vulnerable Windows installations. Successful exploitation leads to full compromise of the host, data exfiltration, and lateral movement across the network.

Technical Details

  • CVE Identifier: CVE‑2026‑45892
  • Vulnerability Type: Remote Code Execution (RCE) via Kernel‑mode memory corruption
  • Affected Components: Windows Kernel ntoskrnl.exe, specifically the NtQuerySystemInformation handling of crafted SystemProcessInformation structures.
  • Affected Versions:
    • Windows 11, version 22H2 and later (build 22621.0 – 22631.999)
    • Windows Server 2022, version 20348 (build 20348.0 – 20348.999)
  • CVSS Base Score: 9.8 (Critical)
  • Vector: Network, Remote, No Authentication Required
  • Exploitability: Public proof‑of‑concept released on 2026‑05‑15, observed in the wild by multiple threat actors.

How the Flaw Works

  1. Input Crafting: The attacker sends a specially crafted SystemProcessInformation buffer to the kernel via the NtQuerySystemInformation API.
  2. Memory Corruption: The kernel fails to validate the size field, causing a heap overflow.
  3. Control Hijack: Overflow overwrites a function pointer in a kernel object, redirecting execution to attacker‑controlled shellcode.
  4. Privilege Escalation: Shellcode runs in kernel mode, granting SYSTEM privileges and full control of the OS.

The bug stems from an off‑by‑one error introduced in the 2025‑09 Windows update that added additional fields to the SYSTEM_PROCESS_INFORMATION structure without updating the validation logic.

Mitigation Steps

  1. Apply the Patch Immediately
    • Microsoft released security update KB5029387 on 2026‑05‑23. Download from the Microsoft Update Catalog.
    • Deploy via WSUS, SCCM, or Intune. Verify installation with wmic qfe list | find "KB5029387".
  2. Enable Exploit Guard
    • Turn on Controlled Folder Access and Network Protection in Windows Defender Exploit Guard.
    • Use Group Policy: Computer Configuration → Administrative Templates → Windows Components → Windows Defender Exploit Guard → Attack Surface Reduction Rules and enable rule ID 131 (Block untrusted processes from creating remote threads).
  3. Restrict Unnecessary Network Access
    • Block inbound traffic to ports 135, 445, and 139 from untrusted zones.
    • Enforce firewall rules using PowerShell: New-NetFirewallRule -DisplayName "Block SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block.
  4. Monitor for Indicators of Compromise
    • Look for abnormal ntoskrnl.exe memory usage spikes.
    • Detect creation of processes with parent System and command line containing \??\C:\Windows\Temp\.
    • Deploy detection rule in Microsoft Sentinel: EventID=4688 AND Image=\Windows\System32\ntoskrnl.exe.
  5. Apply Temporary Workaround (If Patch Cannot Be Deployed Immediately)
    • Disable the vulnerable API via registry: HKLM\SYSTEM\CurrentControlSet\Services\NtQuerySystemInformation\Start = 4.
    • Note: This may break legitimate software that relies on the API; test in a lab before production rollout.

Timeline

Date Event
2026‑04‑28 Vulnerability reported to Microsoft via the MSRC Coordinated Disclosure program.
2026‑05‑04 Microsoft acknowledges receipt and begins internal analysis.
2026‑05‑15 Public PoC released on GitHub (see CVE‑2026‑45892 PoC).
2026‑05‑20 Microsoft issues emergency advisory (CISA Alert AA23‑123).
2026‑05‑23 Patch KB5029387 released to Windows Update channels.
2026‑05‑25 CISA adds CVE‑2026‑45892 to the Known Exploited Vulnerabilities (KEV) Catalog.

What to Do Next

  • Audit all Windows 11 and Server 2022 endpoints for missing KB5029387.
  • Prioritize patching on domain controllers, file servers, and any system exposed to the internet.
  • Validate that exploit‑guard rules are enforced across the enterprise.
  • Report any detection of the PoC or related IOCs to your SOC and to CISA via the Vulnerability Reporting Portal.

Failure to remediate within 72 hours leaves critical infrastructure exposed to active exploitation. The window for attackers is already open; act now.

#CVE-2026-45892#Remote Code Execution#Windows Kernel#Patch#CISA

Comments

Loading comments...
Back to Home