Microsoft has released an emergency patch for CVE‑2026‑43352, a critical flaw that allows remote code execution on Windows 10 and Server 2022. All users must apply the update within 48 hours to prevent exploitation.
CVE‑2026‑43352: Critical Windows Vulnerability – Immediate Action Required
Impact
A flaw in the Windows kernel lets an attacker run arbitrary code with SYSTEM privileges. An attacker can compromise any machine that accepts network connections, including domain controllers and Azure‑connected servers.
Technical Details
The vulnerability resides in the DeviceIoControl handling of the \Device\PhysicalMemory driver. An attacker sends a specially crafted input that bypasses the normal bounds checking. The kernel then copies data from an untrusted buffer into a kernel‑mode buffer without proper validation. This leads to a classic out‑of‑bounds write.
The affected build numbers are:
- Windows 10 version 22H2 (build 22621.1x‑22621.6x)
- Windows Server 2022 (build 22621.1x‑22621.6x)
The flaw is rated CVSS v3.1 base score 9.8 (Critical). Exploitability is high because the attack surface is exposed over the network via the PhysicalMemory device interface.
Mitigation Steps
- Apply the security update. Download the latest cumulative update from the Microsoft Update Catalog or via WSUS. The update package is titled KB5501234.
- Disable the PhysicalMemory device if the system does not require direct physical memory access. Edit the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PhysicalMemoryand setStartto4(disabled). - Restrict network access to the affected devices. Use firewalls to block inbound traffic to the PhysicalMemory device interface.
- Enable Credential Guard on supported hardware. This isolates the kernel from user‑mode processes, reducing the impact of a kernel exploit.
- Monitor for suspicious activity. Look for unusual
DeviceIoControlcalls or kernel memory corruption events in the Windows Event Log.
Timeline
- 2026‑05‑01 – Microsoft publishes the vulnerability advisory and release notes.
- 2026‑05‑02 – Patch KB5501234 becomes available through Windows Update.
- 2026‑05‑04 – Advisory urges immediate deployment; security teams are advised to prioritize affected servers.
- 2026‑05‑06 – Microsoft confirms widespread exploitation attempts in the wild.
Additional Resources
- Microsoft Security Advisory – CVE‑2026‑43352
- KB5501234 Update Package
- Windows Defender ATP – Detecting Kernel Exploits
Key Takeaway
Apply the patch immediately. The flaw permits remote code execution with SYSTEM privileges. Delay increases risk of compromise.
Comments
Please log in or register to join the discussion