Microsoft has issued an emergency patch for CVE-2026-46191, a remote code execution flaw affecting Windows 10 and 11. The flaw allows attackers to run arbitrary code with SYSTEM privileges via a crafted file. Immediate action required.
Critical Vulnerability CVE‑2026‑46191 Exposes Windows Users to Remote Code Execution
Impact
- Affected systems: Windows 10 version 22H2 and earlier, Windows 11 version 22H2 and earlier.
- Severity: CVSS v3.1 score 9.8 (Critical).
- Risk: Remote attackers can execute code with SYSTEM privileges by delivering a malicious file to a vulnerable user.
- Potential damage: Full system compromise, data exfiltration, ransomware deployment.
Technical Details
CVE‑2026‑46191 originates in the Windows Shell Execution Service. A malformed Shell Item file triggers an unchecked buffer copy in the ShellExecuteEx routine. The attacker crafts a file with a specially constructed LNK header that overflows a 512‑byte buffer, overwriting the return address. The overwritten address points to a ROP chain that grants SYSTEM access. The flaw exists in the Shell32.dll component, which is loaded by any process that processes a LNK file.
The vulnerability was discovered during a routine security audit of the Shell components. The patch applies a bounds check before copying the LNK data, eliminating the overflow.
Mitigation Steps
- Apply the patch immediately. Download the latest cumulative update from the Microsoft Update Catalog.
- Disable automatic file preview in File Explorer to reduce the attack surface. Set the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPreviewHandlersto1. - Restrict user privileges. Ensure users run only applications they need and avoid running as Administrator.
- Enable Windows Defender Exploit Guard. Turn on the Attack Surface Reduction rule Block executable files from running unless they are signed.
- Monitor for anomalous processes. Use Sysmon or similar logging to detect unexpected SYSTEM‑level activity.
Timeline
- 2026‑04‑12: Microsoft Security Response Center (MSRC) publishes advisory.
- 2026‑04‑13: CISA issues a joint alert urging immediate patching.
- 2026‑04‑15: Patch released in Windows Update.
- 2026‑04‑20: Advisory updated to include workarounds for systems that cannot update immediately.
Additional Resources
- Microsoft Security Advisory – CVE‑2026‑46191
- CISA Alert – Remote Code Execution in Windows Shell
- Windows Security Baseline – Hardening Guidance
Act now. Apply the patch, enforce least‑privilege policies, and monitor for suspicious activity. Failure to do so exposes your organization to immediate compromise.
Comments
Please log in or register to join the discussion