Microsoft has issued a critical security update for Windows 10 21H2 and 22H2. The flaw, CVE‑2026‑43970, allows remote attackers to execute arbitrary code via a crafted network packet. Immediate patching is mandatory for all affected systems.
CVE‑2026‑43970: Remote Code Execution in Windows 10 21H2/22H2
Impact
A single malicious packet can trigger arbitrary code execution with SYSTEM privileges. Attackers can install malware, steal data, or pivot to other network assets.
Affected Products
- Windows 10 version 21H2 (Build 19044) and later
- Windows 10 version 22H2 (Build 19045) and later
- Windows 11 version 22H2 (Build 22621) and later
Technical Details
The vulnerability lies in the Windows Network Driver Interface Specification (NDIS) packet parsing routine. When a specially crafted TCP packet reaches the network stack, the driver miscalculates buffer boundaries, leading to a buffer overflow. The overflow overwrites the return address on the stack, allowing an attacker to redirect execution to injected shellcode. The flaw is exploitable over any network interface, including Ethernet, Wi‑Fi, and virtual adapters.
The CVSS v3.1 base score is 10.0 (Critical). The exploit requires no user interaction and can be triggered from a remote host.
Mitigation Steps
- Apply the latest cumulative update. Download from the Microsoft Update Catalog. The relevant KB is KB5028769.
- Verify installation. Run
sfc /scannowandDISM /Online /Cleanup-Image /RestoreHealthto ensure system integrity. - Restrict inbound traffic. Configure firewalls to block unused ports, especially TCP 445 and 139, which are commonly abused.
- Enable Windows Defender Exploit Guard. Turn on Attack Surface Reduction rules for network traffic.
- Monitor logs. Look for anomalous
Event ID 4624logins orEvent ID 5140file access after patching.
Timeline
- 2026‑04‑12: CVE disclosed by Microsoft Security Response Center (MSRC).
- 2026‑04‑15: Initial patch released for Windows 10 21H2 and 22H2.
- 2026‑04‑18: Patch extended to Windows 11 22H2.
- 2026‑04‑20: Advisory published on the Microsoft Security Update Guide.
What to Do Now
- Prioritize patching on all endpoints. Use SCCM, Intune, or WSUS to deploy KB5028769.
- Audit network devices for open SMB shares. Disable SMBv1 and enforce SMBv3 encryption.
- Educate users about phishing emails that may contain malicious attachments exploiting this flaw.
- Plan rollback procedures in case of update failures.
Further Resources
- Microsoft Security Update Guide – CVE‑2026‑43970
- KB5028769 Release Notes
- Windows Defender Exploit Guard Documentation
Stay vigilant. Apply the patch immediately to protect your organization from this high‑risk vulnerability.
Comments
Please log in or register to join the discussion