CVE‑2026‑42011 allows attackers to execute arbitrary code with SYSTEM privileges on vulnerable Windows 10, Server 2019, and later builds. The flaw scores 9.8 CVSS, is actively exploited, and requires immediate patching. Microsoft released patches on 2026‑03‑14; apply them now and enforce mitigations for unpatched systems.
Immediate Impact
A remote code execution (RCE) flaw in the Windows kernel (CVE‑2026‑42011) is being weaponized in the wild. Successful exploitation grants the attacker SYSTEM rights, enabling full control of the compromised host. The vulnerability affects:
- Windows 10 version 22H2 (build 19045 and later)
- Windows Server 2019 (build 17763 and later)
- Windows Server 2022 (build 20348 and later)
- Windows 11 (all current releases)
The CVSS v3.1 base score is 9.8 (Critical). Attackers can trigger the bug over the network without user interaction, using specially crafted SMB packets.
Technical Details
The flaw resides in the nt!IoCreateFile routine, which fails to properly validate the length of a user‑supplied buffer when processing an SMB2 CREATE request. An attacker can overflow the internal stack buffer, overwriting the return address and hijacking execution flow.
Key points:
- Trigger Vector: Malformed SMB2 CREATE request sent to the SMB server service (
srv2.sys). - Privilege Escalation: The overwritten return address points to a kernel payload that escalates to SYSTEM.
- Exploit Complexity: Low. Public proof‑of‑concept code was released on 2026‑02‑28.
- Impact Scope: Any machine with SMB enabled and reachable on the network is at risk.
Microsoft’s internal analysis shows the bug is a classic stack‑based buffer overflow caused by missing bounds checking in the SrvCreateFile handler.
Mitigation Steps
- Apply the Patch – Microsoft released security updates on 2026‑03‑14 (KB5029385). Install via Windows Update, WSUS, or SCCM immediately.
- Disable SMBv1 – If still enabled, turn it off.
Set-SmbServerConfiguration -EnableSMB1Protocol $false. - Restrict SMB Access – Use firewall rules to limit inbound SMB (ports 445/139) to trusted subnets only.
- Enable Exploit Guard – Turn on the Network Protection rule set in Windows Defender Exploit Guard.
- Monitor for Indicators – Look for abnormal SMB CREATE requests in Event Viewer (Event ID 5145) and enable Sysmon with a rule for
CreateFileevents fromsrv2.sys.
If patching cannot be performed immediately, enable the Microsoft Defender for Endpoint (MDfE) Network Protection feature, which blocks known malicious SMB payloads.
Patch Deployment Timeline
| Date | Action |
|---|---|
| 2026‑03‑14 | Security update released (KB5029385) |
| 2026‑03‑21 | Microsoft advisory urges 48‑hour deployment for critical assets |
| 2026‑04‑01 | End of support for unpatched Windows 10 20H2 (no longer receives security updates) |
Organizations should aim to have the patch applied within 24 hours of release for any internet‑facing or high‑value systems.
References
- Official Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-42011
- Patch download (KB5029385): https://support.microsoft.com/kb/5029385
- Exploit detection guidance: https://learn.microsoft.com/security/defender-endpoint/network-protection
Take action now. The window for undetected exploitation is closing fast. Apply the patch, tighten SMB controls, and verify remediation through logs.
Comments
Please log in or register to join the discussion