CVE‑2026‑7374 is a remote code execution flaw in the Windows kernel driver stack affecting Windows 10 version 22H2 and Windows Server 2022. It scores 9.8 CVSS, allows unauthenticated attackers to execute arbitrary code via crafted I/O requests, and is being actively exploited. Microsoft has released out‑of‑band patches; customers must apply them immediately and enforce mitigations such as driver signing enforcement and disabling vulnerable legacy protocols.
Impact Overview
A critical remote code execution (RCE) bug, CVE‑2026‑7374, has been disclosed by the Microsoft Security Response Center (MSRC). The flaw resides in the Windows kernel's I/O request handling code. An unauthenticated attacker can trigger arbitrary code execution with system privileges by sending a specially crafted I/O request to a vulnerable driver.
- CVSS Base Score: 9.8 (Critical)
- Affected Products: Windows 10 version 22H2, Windows Server 2022, Windows Server 2022 Datacenter, Windows 11 version 23H2 (all 64‑bit editions)
- Exploit Status: Actively exploited in the wild as of early May 2026
- Discovery Date: 2026‑04‑15 (reported by a security researcher via the Microsoft Bug Bounty program)
If left unpatched, attackers can gain full system control, install persistence mechanisms, and move laterally across corporate networks.
Technical Details
Vulnerable Component
The flaw exists in the ntoskrnl.exe kernel component, specifically within the IRP_MJ_DEVICE_CONTROL dispatch routine. The routine fails to validate the length of a user‑supplied buffer before copying it into kernel memory using memcpy. This unchecked copy enables a classic buffer overflow that overwrites adjacent kernel structures.
Attack Flow
- Reconnaissance: Attacker identifies a target machine running a vulnerable Windows build.
- Payload Delivery: Using a network‑exposed service that forwards I/O control codes (e.g., SMB, RDP, or a custom driver interface), the attacker sends a malformed
IOCTLrequest containing an oversized buffer. - Overflow Trigger: The kernel copies the buffer without proper bounds checking, overwriting the
IRPobject's function pointer. - Code Execution: The overwritten pointer redirects execution to attacker‑controlled shellcode located in a non‑paged pool allocation.
- Privilege Escalation: Because the code runs in kernel mode, the attacker obtains SYSTEM privileges instantly.
Why It Matters
- No Authentication Required: The exploit works over unauthenticated network connections, making it trivial to launch from the internet.
- Wide Deployment: The affected Windows builds are present on roughly 30 % of enterprise endpoints worldwide.
- Persistence Potential: Attackers can install kernel‑mode rootkits that survive reboots and bypass most endpoint detection solutions.
Mitigation and Patch Deployment
Immediate Actions
- Apply Microsoft’s out‑of‑band security update (KB5029387) released on 2026‑05‑01. The update patches the kernel routine and adds stricter validation for
IRP_MJ_DEVICE_CONTROLcalls. - Enable Driver Signing Enforcement via Group Policy (
Computer Configuration → Administrative Templates → System → Driver Installation → Code signing for device drivers). This blocks unsigned drivers that could be leveraged to trigger the flaw. - Disable Unnecessary Legacy Services such as SMBv1 and older RDP configurations that expose the vulnerable I/O path.
- Deploy Network‑Level Filtering to block inbound traffic to ports associated with services that forward
IOCTLrequests (e.g., TCP 445, 3389) from untrusted networks.
Long‑Term Hardening
- Adopt Windows Defender Application Control (WDAC) to enforce a whitelist of trusted drivers.
- Enable Windows Event Forwarding and monitor for Event ID 5140 (network share access) combined with Event ID 4688 (new process creation) for anomalous activity.
- Regularly Review Patch Compliance using tools such as Microsoft Endpoint Configuration Manager or Windows Update for Business.
Timeline
- 2026‑04‑15: Vulnerability reported to MSRC.
- 2026‑04‑22: Initial advisory published (CVE‑2026‑7374). No public exploit yet.
- 2026‑04‑28: Proof‑of‑concept leaked on underground forums.
- 2026‑05‑01: Microsoft releases emergency out‑of‑band patch (KB5029387).
- 2026‑05‑03: CISA adds CVE‑2026‑7374 to its Known Exploited Vulnerabilities (KEV) Catalog.
- 2026‑05‑07: Major security vendors publish detection signatures for the exploit.
Resources
- Official Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-7374
- KB5029387 Patch Download: https://support.microsoft.com/kb/5029387
- CISA KEV Catalog Entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Detection guidance from Microsoft Defender ATP: https://learn.microsoft.com/defender-endpoint/detection-guidance-cve-2026-7374
Call to Action
Do not wait. Deploy the patch today, enforce driver signing, and audit exposed services. The window for exploitation is already open, and every unpatched system is a potential foothold for nation‑state actors.
Comments
Please log in or register to join the discussion