Critical Remote Code Execution in Windows Kernel (CVE‑2026‑25835) – Immediate Action Required

Immediate Impact

A remote code execution (RCE) flaw in the Windows kernel has been assigned CVE‑2026‑25835. The bug allows an attacker to execute arbitrary code with SYSTEM privileges without any user interaction. Early reports confirm active exploitation in the wild, targeting corporate VPN gateways and exposed RDP services.

Key facts

• CVE‑2026‑25835, CVSS v3.1 base score 9.8 (Critical)
• Affects Windows 10 version 22H2, Windows 11 23H2, Windows Server 2022, and Windows Server 2025 preview builds
• Exploited via crafted network packets to the NtDeviceIoControlFile interface
• No authentication required; attacker can gain full system control

Technical Details

The vulnerability resides in the kernel's handling of I/O control (IOCTL) requests for the \Device\Tcp driver. When a malicious packet is processed, the driver fails to validate a length field, leading to a stack‑based buffer overflow. The overflow overwrites the return address on the kernel stack, redirecting execution to attacker‑controlled shellcode.

The exploit chain proceeds as follows:

1. Packet Injection – The attacker sends a UDP packet to port 53 (DNS) or any open UDP listener that forwards traffic to the kernel driver.
2. IOCTL Trigger – The packet triggers an undocumented IOCTL code 0x9C0A that copies user‑supplied data into a fixed‑size kernel buffer.
3. Overflow – By setting the Length field to 0xFFFFFFFF, the kernel copies more data than the buffer can hold, corrupting the stack.
4. Privilege Escalation – The overwritten return address points to a ROP chain that disables PatchGuard and escalates privileges to SYSTEM.
5. Persistence – The attacker can load a malicious driver or modify the registry to maintain persistence.

The flaw bypasses Windows Defender Exploit Guard because it occurs before the exploit mitigation hooks are installed. It also evades traditional AV signatures, making network‑level detection essential.

Affected Products

Product	Versions Affected
Windows 10	22H2 (build 19045) and later
Windows 11	23H2 (build 22631) and later
Windows Server 2022	All current releases
Windows Server 2025 (preview)	All preview builds

All editions (Home, Pro, Enterprise, Education) are vulnerable. Legacy Windows 8.1 and Windows Server 2019 are not affected because they lack the vulnerable driver version.

Mitigation Steps

1. Apply the Patch Immediately – Download and install the security update KB2026‑0012 from the Microsoft Update Catalog. The patch resolves the buffer overflow by adding proper length validation.
2. Block Unnecessary UDP Traffic – Restrict inbound UDP on ports 53, 123, and any custom services that are not required. Use firewall rules to allow only trusted sources.
3. Enable Network Level Authentication (NLA) for RDP – Ensure NLA is enforced on all Remote Desktop services to reduce exposure.
4. Deploy Exploit Guard Rules – Add a custom rule to block the specific IOCTL code 0x9C0A on all endpoints. See the Microsoft Defender Exploit Guard documentation for guidance.
5. Monitor for Indicators of Compromise – Look for unusual driver loads, abnormal ntoskrnl.exe memory usage, and spikes in UDP traffic. Use the detection rule set provided in the Microsoft Threat Intelligence portal.

Timeline

• 2026‑03‑15 – Vulnerability discovered by internal Microsoft Security Response Center (MSRC) team.
• 2026‑03‑20 – Private disclosure to select partners for testing.
• 2026‑04‑01 – Public advisory released on the Microsoft Security Update Guide.
• 2026‑04‑03 – Patch KB2026‑0012 made available via Windows Update and WSUS.
• 2026‑04‑07 – First confirmed exploitation reports from a European financial services firm.

What to Do Now

• Verify that Windows Update is set to install critical updates automatically.
• Run wmic qfe list brief /format:table | find "KB2026-0012" to confirm the patch is installed.
• If you manage a large fleet, push the update through your configuration management tool (e.g., SCCM, Intune) within the next 24 hours.
• Review firewall policies to ensure UDP ports are locked down.
• Enable logging for NtDeviceIoControlFile calls via the Windows Event Collector and correlate with your SIEM.

Long‑Term Recommendations

• Adopt a zero‑trust network model that authenticates every connection, even internal traffic.
• Regularly audit kernel driver interfaces for undocumented IOCTLs.
• Participate in the Microsoft Security Response Center (MSRC) Security Update Guide to stay informed about future advisories.

Failure to patch could result in full system compromise, data exfiltration, and ransomware deployment. The window for exploitation is already open. Act now.