Critical Remote Code Execution Vulnerability CVE‑2026‑8723 Discovered in Microsoft Windows Kernel

Immediate Impact

A remote code execution flaw, CVE‑2026‑8723, has been assigned a CVSS v3.1 base score of 9.8 (Critical). The vulnerability lives in the Windows kernel’s handling of specially crafted I/O requests. An attacker who can reach a vulnerable system over the network can gain SYSTEM‑level privileges without user interaction.

What is at risk?

• Windows 10 1909‑22H2, 21H1‑21H2, 22H2, 23H2
• Windows 11 22H2, 23H2, 24H2
• Windows Server 2019, 2022, and Azure Stack HCI
• All editions that include the affected kernel driver (`dxgkrnl.sys`)

Technical Details

The flaw originates from an integer overflow in the DXGKRNL driver’s handling of the IOCTL_DXGK_CREATE_CONTEXT request. When the driver processes a buffer length field that exceeds 0x7FFF FFFF, the kernel fails to validate the size before copying data from user space. This permits a heap‑spray that overwrites adjacent kernel structures, ultimately allowing control‑flow hijack.

Exploit Flow

1. Recon – Attacker scans for open TCP ports 135/445 or uses SMB relay to reach the target.
2. Payload Delivery – Sends a malformed IOCTL packet containing an over‑sized length field and malicious shellcode.
3. Overflow Trigger – Kernel allocates a buffer based on the inflated length, causing overflow into adjacent heap metadata.
4. Arbitrary Write – Overwritten function pointer redirects execution to attacker‑controlled shellcode.
5. Privilege Escalation – Shellcode runs in kernel mode, spawning a SYSTEM token and opening a reverse shell.

The vulnerability is wormable because the exploit does not require user interaction and can propagate via SMB shares. Microsoft has confirmed active exploitation in the wild, targeting enterprise networks with exposed RDP or VPN gateways.

Mitigation Steps

1. Apply the Patch – Install the out‑of‑band security update released on May 20 2026 (KB5029355). The update replaces the vulnerable driver with a hardened version that validates buffer lengths.
   • Download from the Microsoft Update Catalog.
2. Block Unnecessary Ports – Restrict inbound traffic on TCP 135, 445, and 3389 at the perimeter firewall. Use Zero‑Trust segmentation for internal SMB traffic.
3. Enable Network Level Authentication (NLA) – For RDP, enforce NLA to require credential verification before a session is established.
4. Deploy EMET‑style Exploit Guard – Turn on Controlled Folder Access and Attack Surface Reduction rules  BlockAbuseOfWindowsKernel  via Group Policy.
5. Monitor for Indicators of Compromise – Look for:
   • Unexpected dxgkrnl.sys restarts in Event Viewer (ID 1001).
   • New SYSTEM‑level processes with network listeners on uncommon ports.
   • SMB traffic from internal hosts to external IPs.
   • Use the Microsoft Defender Advanced Threat Protection detection rule T1210.

Timeline

• May 12 2026 – Vulnerability reported to Microsoft via the MSRC Coordinated Disclosure Program.
• May 15 2026 – Private advisory issued to affected customers.
• May 18 2026 – Exploit code leaked on underground forums.
• May 20 2026 – Out‑of‑band security update (KB5029355) released.
• May 22 2026 – CISA adds CVE‑2026‑8723 to the Known Exploited Vulnerabilities (KEV) catalog.

What to Do Now

• Verify patch deployment on all Windows endpoints within 24 hours.
• Conduct a rapid asset inventory to confirm no legacy systems remain unpatched.
• Run a full Microsoft Defender scan with the latest definitions.
• Review firewall logs for anomalous SMB traffic from the past week.

Failure to remediate promptly could result in full domain compromise, data exfiltration, and ransomware deployment. The window for safe operation is closing fast.

---

References

• Microsoft Security Update Guide entry for CVE‑2026‑8723
• CISA KEV Catalog – CVE‑2026‑8723
• Official patch KB5029355 – Download