Microsoft has disclosed CVE‑2026‑41675, a Windows kernel vulnerability that permits unauthenticated remote code execution. The flaw scores 9.8 CVSS, affects all supported Windows 10/11 and Server 2019/2022 releases, and is actively exploited. Apply the out‑of‑band patch released on 2026‑05‑15 and disable SMBv1 to mitigate.
Critical Remote Code Execution in Windows Kernel (CVE‑2026‑41675)
Impact: An attacker can execute arbitrary code with SYSTEM privileges on vulnerable Windows machines. The vulnerability is being leveraged in the wild to install ransomware and steal credentials.
Technical Details
- CVE ID: CVE‑2026‑41675
- Vendor: Microsoft Security Response Center (MSRC)
- Published: 2026‑05‑15
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector: Network, Remote, Unauthenticated
- Affected Components: Windows Kernel, specifically the
ntoskrnl.exedriver handling IOCTL requests for the\Device\Tcpobject. - Root Cause: Improper validation of user‑supplied data in the
TcpReceiveMessageroutine. A crafted packet can overflow a stack buffer, corrupt the return address, and hijack execution flow. - Exploitability: Public exploit code was observed in underground forums on 2026‑05‑10. The exploit works against default firewall configurations because it uses standard TCP ports (80/443) to bypass network restrictions.
How the Vulnerability Works
- Packet Crafting: The attacker sends a malicious TCP segment containing an oversized
MessageLengthfield. - Buffer Overflow: The kernel copies the field into a fixed‑size stack buffer without bounds checking.
- Control Hijack: The overflow overwrites the saved return pointer, redirecting execution to attacker‑controlled shellcode.
- Privilege Escalation: Shellcode runs in kernel mode, granting SYSTEM level access.
- Payload Execution: The attacker can load any driver, install persistence, or exfiltrate data.
Affected Products & Versions
| Product | Supported Versions |
|---|---|
| Windows 10 | 22H2, 21H2, 20H2 |
| Windows 11 | 23H2, 23H1 |
| Windows Server 2019 | All releases |
| Windows Server 2022 | All releases |
| Windows Server 2025 (preview) | All releases |
All editions (Home, Pro, Enterprise, Education) are vulnerable. Legacy Windows 7/8.1 are not affected because the vulnerable driver was introduced in the 2019 kernel.
Mitigation Steps
- Apply the Out‑of‑Band Patch
- Download the security update from the Microsoft Update Catalog or use Windows Update.
- The KB number is KB5029387. Install immediately on all endpoints.
- Disable SMBv1
- Run
Set-SmbServerConfiguration -EnableSMB1Protocol $falsein PowerShell. - This reduces the attack surface for legacy exploits that may chain with CVE‑2026‑41675.
- Run
- Restrict Inbound TCP Traffic
- Block inbound connections on ports 80 and 443 from untrusted networks if the host does not serve web traffic.
- Use a host‑based firewall rule:
New-NetFirewallRule -DisplayName "Block Untrusted TCP" -Direction Inbound -Protocol TCP -RemoteAddress Any -Action Block.
- Enable Exploit Guard
- Turn on Network Protection and Attack Surface Reduction rules via Microsoft Defender.
- Command:
Set-MpPreference -EnableNetworkProtection Enabled.
- Monitor for Indicators of Compromise (IOCs)
- Look for unusual
ntoskrnl.exeloads in Event ID 4688. - Detect anomalous outbound connections to known C2 domains listed in the Microsoft Threat Intelligence portal.
- Look for unusual
Timeline
- 2026‑05‑01: Initial reports of anomalous kernel crashes from a large retail chain.
- 2026‑05‑07: Private security researcher discovers the buffer overflow and shares proof‑of‑concept with MSRC under NDA.
- 2026‑05‑10: Exploit code appears on underground forums, confirming active exploitation.
- 2026‑05‑12: Microsoft issues emergency advisory (CVE‑2026‑41675) and begins internal patch development.
- 2026‑05‑15: Out‑of‑band security update (KB5029387) released to Windows Update and Microsoft Update Catalog.
- 2026‑05‑16: CISA adds CVE‑2026‑41675 to its Known Exploited Vulnerabilities (KEV) Catalog.
What to Do Now
- Verify that Windows Update shows KB5029387 as installed.
- Run
Get-HotFix -Id KB5029387on each system to confirm. - Deploy the firewall and SMBv1 hardening steps via Group Policy or Endpoint Manager.
- Update your SIEM rule set to flag the IOCs listed above.
- Conduct a rapid asset inventory to ensure no legacy systems are left unpatched.
Longer‑Term Recommendations
- Adopt a Patch Tuesday acceleration policy for critical CVSS ≥ 9.0 vulnerabilities.
- Enforce Zero Trust network segmentation to limit lateral movement.
- Regularly audit kernel driver signatures and enforce code‑signing policies.
- Participate in Microsoft’s Security Update Guide for automated vulnerability tracking.
Stay vigilant. Apply the patch now.
Comments
Please log in or register to join the discussion