Microsoft has disclosed CVE‑2026‑46230, a remote code execution flaw in the Windows kernel that scores 9.8 CVSS. The vulnerability affects Windows 10 version 22H2, Windows Server 2019, and Windows Server 2022. Exploits are already circulating. Apply the out‑of‑band patch released on May 28, 2026, and enforce network segmentation to mitigate risk.
Impact Summary
A remote code execution (RCE) flaw in the Windows kernel (CVE‑2026‑46230) allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. The vulnerability scores 9.8 on the CVSS v3.1 base metric, qualifying it as Critical. Exploits have been observed in the wild targeting corporate VPN gateways and remote desktop services.
Technical Details
Vulnerability ID: CVE‑2026‑46230
Published: 2026‑05‑28 (Microsoft Security Update Guide)
CVSS v3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Components: Windows Kernel – ntoskrnl.exe handling of malformed I/O request packets (IRPs) in the IoAllocateMdl routine.
Root Cause: The kernel fails to properly validate the length field of a user‑supplied MDL (Memory Descriptor List) when processing certain IOCTL calls. An attacker can craft a specially‑formed packet that triggers a stack buffer overflow, overwriting the return address and gaining execution at ring‑0.
Exploit Vector: The flaw is exploitable over the network via any service that forwards raw IOCTL requests, including:
- SMBv3 (port 445)
- RDP (port 3389) when using virtual channel extensions
- DirectAccess and VPN clients that expose the
DeviceIoControlinterface
Public Exploits: Proof‑of‑concept code was posted on public GitHub repositories on 2026‑05‑20. Several nation‑state actors have incorporated the exploit into multi‑stage malware campaigns targeting energy and manufacturing sectors.
Affected Products and Versions
| Product | Version(s) Affected | Build Range |
|---|---|---|
| Windows 10 | 22H2, 21H2 | 19044.3086 – 19044.3500 |
| Windows Server 2019 | All releases | 17763.2920 – 17763.3400 |
| Windows Server 2022 | All releases | 20348.1500 – 20348.2100 |
| Windows 11 | 22H2, 23H2 | 22621.1700 – 22621.2300 |
The vulnerability does not affect Windows 7, Windows Server 2008 R2, or Azure Stack HCI images that have been patched beyond the listed build numbers.
Mitigation Steps
- Apply the out‑of‑band patch released on 2026‑05‑28 (KB5029387). The update is available via Windows Update, WSUS, and Microsoft Endpoint Configuration Manager.
- Download links: Microsoft Update Catalog
- Block inbound traffic on ports 445 and 3389 from untrusted networks until patches are applied. Use firewall rules to restrict access to known management subnets.
- Enable Credential Guard and Virtualization‑Based Security (VBS) on affected hosts. These mitigations raise the difficulty of kernel‑level code execution.
- Audit for suspicious MDL allocations. Deploy Sysmon with a custom rule set to log Event ID 12 (Process Create) and Event ID 13 (File Create) for
ntoskrnl.exeactivity. Correlate with network flow logs for abnormal SMB/RDP traffic. - Update third‑party VPN and remote‑desktop appliances that rely on Windows kernel drivers. Vendors have released firmware updates that incorporate the same kernel patches.
Timeline
- 2026‑05‑15: Initial discovery by a private security researcher, reported to MSRC under CVE‑2026‑46230.
- 2026‑05‑20: Proof‑of‑concept exploit posted publicly.
- 2026‑05‑24: Microsoft confirms vulnerability, assigns CVSS 9.8, begins internal remediation.
- 2026‑05‑28: Out‑of‑band security update (KB5029387) released. Advisory published on the Microsoft Security Response Center (MSRC) portal.
- 2026‑06‑02: CISA adds CVE‑2026‑46230 to the Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies required to patch within 14 days.
Recommended Actions for Organizations
- Patch immediately on all endpoints matching the affected build range. Prioritize domain controllers, file servers, and VPN gateways.
- Verify patch deployment using compliance tools (e.g., SCCM compliance baselines, PowerShell
Get-HotFix). - Conduct a rapid risk assessment to identify any legacy applications that may still rely on vulnerable kernel interfaces.
- Review network segmentation. Ensure that SMB and RDP services are not exposed to the internet without a zero‑trust gateway.
- Prepare an incident response playbook for potential compromise, including steps to isolate affected hosts, collect memory dumps, and engage Microsoft Incident Response.
References
- Microsoft Security Update Guide entry: CVE‑2026‑46230
- CISA KEV Catalog entry: CVE‑2026‑46230
- Official patch download: KB5029387
- Sysinternals Sysmon configuration guide: Sysmon Docs
Bottom line: CVE‑2026‑46230 is a high‑impact kernel RCE that can be weaponized instantly. Deploy the Microsoft patch without delay and tighten network controls to stop exploitation before it reaches your critical assets.
Comments
Please log in or register to join the discussion