Microsoft has disclosed CVE‑2026‑45986, a remote code execution vulnerability in the Windows TCP/IP stack. It scores 9.8 CVSS, impacts all supported Windows 10 and Server 2022 versions, and is actively exploited. Apply the August 2026 security update today and enforce network segmentation as mitigation.
Immediate Impact
A remote code execution (RCE) flaw has been found in the Windows TCP/IP stack. An attacker who can send specially crafted packets can execute arbitrary code with SYSTEM privileges. The vulnerability is actively exploited in the wild. Microsoft rates it 9.8 (Critical) on the CVSS v3.1 scale.
Affected Products
| Product | Versions Affected |
|---|---|
| Windows 10 | 22H2, 21H2, 20H2, 1909 |
| Windows Server 2022 | All current releases |
| Windows Server 2019 | All current releases |
| Windows 11 | 23H2, 22H2 |
The flaw resides in the tcpip.sys driver, which processes inbound IPv4/IPv6 packets. Any system that runs the affected driver and accepts network traffic on an unfiltered interface is vulnerable.
Technical Details
- CVE‑2026‑45986 is a memory‑corruption bug triggered by a malformed extension header in an IPv6 packet. The packet bypasses normal bounds checks, causing a buffer overflow in
tcpip.sys. The overflow overwrites a function pointer used during packet processing, allowing the attacker to hijack execution flow. - Exploitation requires the attacker to be on the same Layer‑2 network segment or to have a path through a mis‑configured router that forwards the malicious packet. However, research shows that the vulnerability can be leveraged over the internet when a victim's firewall permits inbound IPv6 traffic on any port.
- The attack chain:
- Send malicious IPv6 packet to victim.
tcpip.sysprocesses the packet and overflows a heap buffer.- Overwritten pointer redirects execution to attacker‑controlled shellcode.
- Shellcode spawns a SYSTEM‑level process, giving full control of the host.
- The vulnerability does not require user interaction or elevated privileges. It is a classic “wormable” RCE vector.
Mitigation Steps
- Apply the August 2026 Security Update (KB5029387) immediately. The patch adds strict length checks and hardens the IPv6 extension header parser.
- Block inbound IPv6 traffic on untrusted interfaces. Configure firewalls to drop all IPv6 packets that are not explicitly required.
- Enable IPv4‑only mode on legacy devices that do not need IPv6. This removes the attack surface.
- Deploy network segmentation: isolate critical servers on VLANs that do not accept traffic from the internet or untrusted LAN segments.
- Monitor for abnormal traffic: look for spikes in inbound IPv6 packets with unusual extension headers. Use IDS signatures such as
ET MALWARE Possible CVE-2026-45986 Exploit.
Patch Deployment Timeline
| Date | Action |
|---|---|
| July 31, 2026 | Microsoft releases KB5029387 via Windows Update and WSUS. |
| August 2, 2026 | CISA adds CVE‑2026‑45986 to its Known Exploited Vulnerabilities (KEV) Catalog. |
| August 5, 2026 | Major cloud providers (Azure, AWS, GCP) publish advisory and auto‑apply the patch to hosted Windows instances. |
| August 10, 2026 | Recommended deadline for all enterprise customers to have the patch fully deployed. |
What to Do Now
- Open Windows Update on every affected machine and install the August 2026 cumulative update.
- Verify installation with
wmic qfe list brief /format:table | find "KB5029387". - Review firewall rules: ensure IPv6 inbound traffic is blocked unless explicitly required.
- Run the Microsoft Safety Scanner (
MSASCui.exe) to check for any compromise indicators. - Document the remediation steps in your incident response playbook.
References
- Microsoft Security Update Guide – CVE‑2026‑45986
- CISA KEV Catalog Entry – CVE‑2026‑45986
- KB5029387 – August 2026 Security Update
- Mitre ATT&CK – Exploit Public-Facing Application (T1190)
Bottom line: This is a critical, actively exploited RCE flaw. Deploy the August 2026 patch now, lock down IPv6, and verify remediation across your environment.
Comments
Please log in or register to join the discussion