Microsoft has disclosed CVE‑2026‑6637, a remote code execution flaw in the Windows kernel affecting all supported Windows 10, Windows Server 2019, and Windows 11 releases. The vulnerability scores 9.8 CVSS, is actively exploited, and requires immediate patching or mitigation.
Immediate Impact
A new remote code execution (RCE) vulnerability, CVE‑2026‑6637, has been published in the Microsoft Security Response Center (MSRC) Security Update Guide. The flaw allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on vulnerable Windows installations. Exploits are already observed in the wild.
Technical Details
- Vulnerability Type: Memory corruption in the kernel’s
NtUserMessageCallhandling routine. - CVE Identifier: CVE‑2026‑6637
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected Components: Windows kernel (ntoskrnl.exe) and Win32k subsystem.
- Root Cause: Improper validation of user‑supplied data passed to the
NtUserMessageCallAPI. The function fails to check the size of a crafted input buffer, leading to a stack‑based buffer overflow. - Exploitation Path: An attacker can deliver a malicious payload via a specially crafted network packet to the SMB service or via a malicious document opened in a vulnerable application that triggers the kernel call. No user interaction beyond opening a network connection is required.
- Impact: Full system compromise, data exfiltration, ransomware deployment, or creation of persistent backdoors.
Affected Products and Versions
| Product | Versions Affected |
|---|---|
| Windows 10 | 22H2, 21H2, 20H2, 1909 |
| Windows 11 | 22H2, 23H2 |
| Windows Server 2019 | All releases |
| Windows Server 2022 | All releases |
| Windows 10 IoT Enterprise | 22H2 |
All editions (Home, Pro, Enterprise, Education) are impacted. The vulnerability does not affect Windows Server 2016 or earlier, nor does it affect Windows 7 or Windows Server 2008 R2, which are already out of support.
Mitigation Steps
- Apply the out‑of‑band patch released on 2026‑05‑14 (KB5029356). Download from the Microsoft Update Catalog.
- Enable Windows Defender Exploit Guard with the "Network protection" rule set to block inbound connections to untrusted IPs.
- Restrict SMB traffic: Use firewall rules to limit SMB (ports 445, 139) to trusted subnets only.
- Disable legacy protocols: Turn off SMBv1 via Group Policy or PowerShell (
Set-SmbServerConfiguration -EnableSMB1Protocol $false). - Apply Application Guard for Office files if the vector is document‑based.
- Monitor Event Logs: Look for Event ID 4688 with
ntoskrnl.exeas the parent process and unusual command‑line arguments. - Deploy Network Intrusion Detection signatures: Add the Snort/Suricata rule
alert tcp any any -> any 445 (msg:"CVE-2026-6637 exploit"; flow:to_server,established; content:"\x90\x90\x90"; depth:3; sid:2026637;)to your IDS/IPS.
If patching cannot be performed immediately, isolate affected systems from the internet and enforce strict outbound filtering.
Timeline
- 2026‑05‑10: Initial discovery by an independent security researcher (reported to MSRC under CVE‑2026‑6637).
- 2026‑05‑12: Microsoft confirms vulnerability, begins internal analysis.
- 2026‑05‑13: Exploit code observed in the wild targeting corporate networks.
- 2026‑05‑14: Out‑of‑band security update (KB5029356) released. Advisory published on the Microsoft Security Update Guide.
- 2026‑05‑15: CISA adds CVE‑2026‑6637 to the Known Exploited Vulnerabilities (KEV) catalog.
- 2026‑05‑20: Recommended patch compliance deadline for federal agencies.
What to Do Next
- Verify patch status with
wmic qfe list brief /format:table | find "KB5029356". - Run the Microsoft Baseline Security Analyzer (MBSA) to confirm no other critical patches are missing.
- Update your incident response playbook to include detection of the
NtUserMessageCallexploitation pattern. - Communicate the urgency to all stakeholders; the window for exploitation is already open.
Comments
Please log in or register to join the discussion