CVE-2026-6664: Remote Code Execution in Windows Loadable Drivers

Impact

A flaw in Windows loadable driver handling allows an attacker to execute arbitrary code with kernel privileges. The vulnerability can be triggered remotely by sending a specially crafted packet to a vulnerable system. Successful exploitation results in complete system takeover.

Affected Products

• Windows 10, version 22H2 and earlier
• Windows 11, version 21H2 and earlier
• Windows Server 2019 and earlier
• Windows Server 2022, version 2022.1 and earlier

The issue affects any installation that loads third‑party drivers without proper signature verification. All builds that include the legacy KERNELBASE.dll driver loader are susceptible.

CVSS Score

• Base Score: 10.0 (Critical)
• Impact: Privilege Escalation, Denial of Service, Information Disclosure
• Exploitability: High

Technical Detail

The vulnerability resides in the kernel‑mode driver loader's validation routine. When a driver package is received, the loader checks the digital signature and the integrity hash. A race condition exists between signature verification and the memory mapping step. An attacker can craft a malicious driver package that passes signature checks but contains a payload that executes during the map phase. The payload gains kernel privileges, allowing arbitrary code execution.

The race condition is triggered by timing the packet arrival during the signature verification window. Once the payload is mapped, the driver’s initialization routine runs with elevated rights. The attacker can then load additional malicious modules, modify system registry keys, or install persistence mechanisms.

Mitigation Steps

1. Apply the latest cumulative update. Download and install the security update from the Microsoft Update Catalog or through WSUS. Link: https://www.catalog.update.microsoft.com/Search.aspx?q=CVE-2026-6664
2. Enable Driver Signature Enforcement. Run bcdedit /set testsigning off and reboot. This forces the kernel to reject unsigned drivers.
3. Restrict driver installation. Configure Group Policy to allow only signed drivers from trusted vendors.
4. Audit driver loading. Use the DriverVer tool to list all loaded drivers and verify signatures.
5. Monitor for anomalous driver activity. Deploy endpoint detection and response (EDR) solutions that flag unexpected driver loads.

Timeline

• 2026‑04‑12: CVE-2026-6664 is disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑18: Initial patch released for Windows 10 22H2 and Windows 11 21H2.
• 2026‑04‑25: Patch extended to all earlier Windows 10, Windows 11, and Windows Server releases.
• 2026‑05‑03: Microsoft issues a security advisory with detailed mitigation guidance.

Further Resources

• Microsoft Security Advisory – CVE-2026-6664
• Windows Driver Kit Documentation
• Windows Update Catalog – CVE-2026-6664
• Driver Verification Tool

Conclusion

CVE-2026-6664 represents a critical risk to all Windows users. Immediate patching and strict driver controls are essential to prevent remote code execution. Follow the mitigation steps above and verify that all systems are updated before the next scheduled patch cycle.