Microsoft has released a critical security update addressing CVE-2026-26122, a severe vulnerability affecting multiple Windows versions. Users must apply patches immediately to prevent potential exploitation.
Microsoft has issued an urgent security update to address CVE-2026-26122, a critical vulnerability that could allow remote code execution on affected systems. The vulnerability has been assigned a CVSS score of 9.8 out of 10, indicating its severe nature and the immediate risk it poses to organizations and individual users.
The vulnerability affects Windows 10 version 1809 and later, Windows Server 2019 and later, and all supported versions of Windows 11. Microsoft reports that the flaw exists in the Windows Remote Procedure Call (RPC) service, which could allow an unauthenticated attacker to execute arbitrary code with system privileges.
"This is a wormable vulnerability," stated a Microsoft security spokesperson. "An attacker who successfully exploits this vulnerability could take control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights."
Technical Details
The vulnerability stems from improper input validation in the RPC runtime library. When processing specially crafted RPC requests, the affected systems fail to properly handle memory allocation, leading to a buffer overflow condition. This overflow can be leveraged by attackers to execute arbitrary code in the context of the Local System account.
Microsoft has observed limited, targeted attacks exploiting this vulnerability in the wild. The company has not disclosed specific details about the attacks but confirmed they are being conducted by an advanced persistent threat (APT) group believed to be operating from Eastern Europe.
Affected Products
- Windows 10 version 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2, 22H2
- Windows Server 2019, 2022
- Windows 11 version 21H2, 22H2
- Windows Server 2022
- Windows 11 IoT Enterprise
Mitigation and Workarounds
Microsoft strongly recommends immediate installation of the security updates released on March 11, 2026. The patches are available through Windows Update and the Microsoft Update Catalog.
For organizations unable to immediately apply patches, Microsoft has provided the following temporary mitigations:
- Block TCP ports 135, 139, 445, and 49152-65535 at network boundaries
- Disable the RPC service if not required for business operations
- Implement network segmentation to isolate critical systems
- Enable Windows Defender Exploit Guard with network protection
Timeline
- March 8, 2026: Microsoft received initial report of the vulnerability
- March 9, 2026: Microsoft confirmed the severity and began developing patches
- March 10, 2026: Patches completed and tested
- March 11, 2026: Security updates released to the public
Detection and Response
Organizations should monitor their systems for indicators of compromise, including:
- Unusual RPC traffic patterns
- Unauthorized service creation
- Suspicious process execution with SYSTEM privileges
- Network connections to known malicious IP addresses
Microsoft has updated its Defender antivirus definitions to detect and block exploitation attempts. Security teams should ensure their antivirus signatures are current and enable enhanced logging for RPC-related events.
Additional Resources
Microsoft will host a technical webinar on March 15, 2026, to provide additional details about the vulnerability and answer questions from security professionals. Registration is available through the Microsoft Security Response Center website.
Security researchers are encouraged to report any additional findings related to this vulnerability through Microsoft's coordinated vulnerability disclosure program. The company has offered a bounty of up to $250,000 for information leading to the identification of additional exploitation techniques or mitigations.
Comments
Please log in or register to join the discussion