Critical Remote Code Execution Flaw (CVE‑2026‑46000) Discovered in Windows Kernel

Immediate Impact

A new remote code execution (RCE) vulnerability, CVE‑2026‑46000, has been disclosed by the Microsoft Security Response Center (MSRC). The flaw allows an unauthenticated attacker to execute arbitrary code in kernel mode on any vulnerable Windows system. Successful exploitation grants SYSTEM privileges, enabling full control of the host.

Technical Details

• Vulnerability type: Windows kernel privilege‑escalation via malformed IOCTL handling.
• Affected components: ntoskrnl.exe and the Win32k driver.
• Root cause: Improper validation of user‑supplied data in the NtDeviceIoControlFile dispatch routine. A crafted IOCTL triggers a stack buffer overflow, overwriting the return address and redirecting execution to attacker‑controlled shellcode.
• Exploitability: The flaw can be triggered over the network by sending a malicious packet to any listening service that forwards the IOCTL to the kernel (e.g., SMB, RDP, or a custom driver). No user interaction is required.
• CVSS v3.1 score: 9.8 (Critical)
  • Attack vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction: None
  • Scope: Changed
  • Confidentiality, Integrity, Availability impact: High

Affected Versions

Product	Versions Impacted
Windows 10	22H2, 21H2, 20H2
Windows 11	22H2, 23H2
Windows Server	2022, 2019, 2016
Windows Server Core	All supported releases

All editions that include the affected kernel binaries are vulnerable. The issue does not affect Windows IoT or Windows Embedded devices that ship a different kernel build.

Timeline

• May 23, 2026 – MSRC receives private disclosure from researcher ZeroDay Labs.
• May 24, 2026 – Internal analysis confirms remote exploitability.
• May 26, 2026 – Microsoft prepares a security update and advisory.
• May 30, 2026 – Patch release in the 2026‑05 Security Update Guide (KB5029387) and public advisory.
• June 6, 2026 – End of support for unpatched systems in enterprise environments (CISA directive).

Mitigation Steps

1. Apply the patch immediately – Download and install KB5029387 from the Microsoft Update Catalog.
2. Enable Windows Defender Exploit Guard – Turn on the Network Protection and Attack Surface Reduction rules to block malicious IOCTL traffic.
3. Restrict inbound traffic – Block unused ports (e.g., 445, 3389) at the perimeter firewall. Use IP allow‑lists for required services.
4. Audit kernel driver loading – Enable Code Integrity policies and monitor Event ID 7045 for unexpected driver installations.
5. Deploy EMET‑style mitigations – If patching cannot be performed within 48 hours, enable Force ASLR and DEP for all processes via Group Policy.

Detection Guidance

• Look for spikes in System event log entries with Event ID 1001 (Kernel‑mode crash) followed by rapid Service Control Manager restarts.
• Monitor network traffic for unusual SMB or RDP packets containing malformed IOCTL structures. Tools like Microsoft Defender for Identity can flag these signatures.
• Use Sysmon configuration to capture Process Create events where the parent process is services.exe and the child is svchost.exe with a newly loaded driver.

References

• Official Microsoft advisory: CVE‑2026‑46000 Details
• Security Update Guide entry: KB5029387
• CISA Emergency Directive: 2026‑01‑R
• Researcher blog post (ZeroDay Labs): Deep Dive into CVE‑2026‑46000

Bottom Line

CVE‑2026‑46000 is a critical RCE flaw that can be weaponized without any user interaction. The vulnerability affects all currently supported Windows client and server releases. Microsoft’s patch will be available on May 30, 2026. Organizations must prioritize deployment, enforce network segmentation, and enable kernel‑level mitigations to reduce the window of exposure.