Microsoft has released a critical security update addressing CVE-2026-23473, a severe vulnerability affecting multiple Windows versions that could allow remote code execution.
Microsoft has issued an urgent security update to address CVE-2026-23473, a critical vulnerability that poses significant risk to Windows systems worldwide. The vulnerability has been assigned a CVSS score of 9.8 out of 10, indicating its severe nature and potential for widespread exploitation.
The vulnerability affects Windows 10 version 1809 and later, Windows Server 2019 and later, and all versions of Windows 11. Microsoft reports that the flaw exists in the Windows Remote Procedure Call (RPC) service, which could allow an unauthenticated attacker to execute arbitrary code with system privileges on affected systems.
"This is a wormable vulnerability," stated Microsoft's Security Response Center. "An attacker who successfully exploits this vulnerability could take control of an affected system, including installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights."
Technical Details
The vulnerability stems from improper input validation in the RPC runtime library. When processing specially crafted RPC requests, the affected systems fail to properly validate memory boundaries, leading to a heap-based buffer overflow condition. This overflow can be leveraged to execute arbitrary code in the context of the Local System account.
Microsoft has observed limited, targeted attacks exploiting this vulnerability in the wild. The company has not disclosed specific details about the attacks to prevent further exploitation while organizations deploy the necessary patches.
Affected Products
- Windows 10 version 1809 through 22H2
- Windows 11 version 21H2 and 22H2
- Windows Server 2019 and 2022
- Windows Server version 1809 and 2022
- Windows IoT Core version 1809 and later
Mitigation and Workarounds
Microsoft strongly recommends immediate installation of the security update. For organizations unable to immediately apply the patch, Microsoft suggests the following temporary mitigations:
- Block TCP ports 135, 139, 445 and UDP ports 137, 138 at network boundaries
- Enable Windows Firewall with Advanced Security rules to block inbound RPC traffic
- Consider disabling the RPC service if not required for business operations
Update Availability
The security update is available through Windows Update and the Microsoft Update Catalog. Enterprise customers can also obtain the update through Windows Server Update Services (WSUS) and System Center Configuration Manager.
Microsoft has provided detailed installation instructions and verification steps in the Security Update Guide. Organizations are advised to test the update in non-production environments before widespread deployment.
Timeline
- February 11, 2026: Microsoft received initial vulnerability report
- February 25, 2026: Patch development completed
- March 11, 2026: Security update released to public
- March 14, 2026: First reports of limited exploitation in the wild
Additional Resources
Organizations are urged to prioritize this update due to the critical severity rating and active exploitation. Microsoft will provide additional guidance as the situation develops.
Comments
Please log in or register to join the discussion