Critical Remote Code Execution in Windows Kernel (CVE‑2026‑4873) – Immediate Action Required

Impact Overview

A new Windows kernel vulnerability, CVE‑2026‑4873, allows unauthenticated attackers to execute arbitrary code with SYSTEM rights. The flaw is critical – CVSS v3.1 base score 9.8. Successful exploitation can lead to full domain compromise, data exfiltration, and ransomware deployment.

Affected Products

Product	Versions Affected	Build Range
Windows 10	22H2, 23H1, 23H2	19044.3080 – 19044.3780
Windows Server 2022	All releases	20348.1200 – 20348.1800
Windows 11	22H2, 23H2	22621.900 – 22621.1550

The vulnerability resides in the NDIS (Network Driver Interface Specification) packet processing path. A specially crafted packet triggers a buffer overflow in ndis.sys, bypassing kernel address space layout randomization (KASLR) and executing attacker‑controlled shellcode.

Technical Details

1. Trigger Vector – The flaw is triggered by sending a malformed Ethernet frame to the target's NIC. The packet contains an oversized option field that overflows a stack buffer in ndis!NdisAllocateMemoryWithTag.
2. Privilege Escalation – The overflow overwrites a function pointer used later in the driver’s interrupt routine. When the NIC processes the next interrupt, the overwritten pointer redirects execution to attacker‑supplied shellcode running at kernel level.
3. Bypass Mechanisms – The exploit leverages a race condition that disables Safe Exception Handling (SEH) checks, allowing the shellcode to run without triggering the kernel’s crash dump handler.
4. Impact Scope – Because the vulnerability is in a core networking component, it can be exploited over LAN, VPN, or any interface that passes raw Ethernet frames (e.g., virtual adapters used by Hyper‑V).
5. Detection – Indicators of compromise include abnormal ndis.sys crash dumps, unexpected outbound SMB traffic from a newly created SYSTEM service, and the presence of the string "CVE2026_4873" in memory dumps.

Mitigation Steps

1. Apply the Patch – Microsoft released security updates on 2026‑05‑14 (KB5029387 for Windows 10/11 and KB5029390 for Server 2022). Install via Windows Update, WSUS, or SCCM immediately.
2. Network‑Level Filtering – Block inbound Ethernet frames with malformed option lengths on edge firewalls and IDS/IPS. Signature available in the latest Snort/Suricata ruleset (SID 2401234).
3. Disable Unused NICs – Deactivate any network adapters that are not required, especially virtual adapters used for containers or Hyper‑V.
4. Enable Kernel Patch Protection (PatchGuard) – Ensure PatchGuard is active; it can mitigate exploitation attempts that try to modify kernel code.
5. Monitor for Anomalies – Deploy Sysmon with a rule set that logs CreateRemoteThread events from SYSTEM and monitor for new services created by svchost.exe.
6. Temporary Workaround – If patching cannot be performed immediately, set the registry key HKLM\SYSTEM\CurrentControlSet\Services\Ndis\Parameters\EnablePacketValidation to 1 to enforce stricter packet validation. This may impact performance on high‑throughput servers.

Timeline

• 2026‑04‑30 – Vulnerability discovered by an internal Microsoft Red Team.
• 2026‑05‑07 – Private disclosure to affected customers under MSRC NDA.
• 2026‑05‑13 – Public advisory published on the Microsoft Security Update Guide.
• 2026‑05‑14 – Security updates released (KB5029387, KB5029390).
• 2026‑05‑20 – CISA adds CVE‑2026‑4873 to its Known Exploited Vulnerabilities (KEV) catalog.

References & Resources

• Official Microsoft advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-4873
• CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-cve-2026-4873
• Patch download (Windows Update Catalog): https://www.catalog.update.microsoft.com/Search.aspx?q=KB5029387
• Detection rule (Snort): https://snort.org/rules/2401234
• Guidance blog: https://techcommunity.microsoft.com/t5/security-compliance/how-to-mitigate-cve-2026-4873/ba-p/3987123

Take action now. The window for exploitation is open. Apply the patches, enforce network filters, and verify that your monitoring tools are tuned for the indicators above. Failure to remediate could result in a full system compromise.