Microsoft has released a critical security update addressing CVE-2026-5290, a severe vulnerability affecting multiple Windows versions. The flaw allows remote code execution with system-level privileges.
Microsoft has issued an emergency security update to address CVE-2026-5290, a critical vulnerability in Windows operating systems that could allow attackers to execute arbitrary code with system-level privileges remotely.
The vulnerability affects Windows 10 versions 1809 through 22H2, Windows 11 versions 21H2 and 22H2, and Windows Server 2019 and 2022. Microsoft rates the severity as "Critical" with a CVSS score of 9.8 out of 10.
Technical Details
The flaw exists in the Windows Kernel Cryptography Driver (cng.sys), where improper input validation allows specially crafted requests to trigger memory corruption. Attackers could exploit this to gain SYSTEM-level access without authentication.
"This vulnerability could allow an attacker who successfully exploits it to run arbitrary code in kernel mode," Microsoft stated in its security advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Impact and Exploitation
While no active exploitation has been reported in the wild, security researchers note that the vulnerability's location in a core Windows component makes it particularly dangerous. The attack vector requires no user interaction and can be triggered remotely through network services.
Organizations running affected Windows versions should prioritize patching immediately. The vulnerability is wormable, meaning malware exploiting it could spread from vulnerable system to vulnerable system without user intervention.
Mitigation Steps
Microsoft has released the following security updates:
- KB5025239 for Windows 10 versions 1809 through 21H2
- KB5025240 for Windows 10 version 22H2
- KB5025241 for Windows 11 versions 21H2 and 22H2
- KB5025242 for Windows Server 2019 and 2022
Administrators can deploy these updates through Windows Update, WSUS, or Microsoft Endpoint Configuration Manager. Microsoft recommends testing updates in non-production environments before broad deployment.
Timeline
Microsoft became aware of the vulnerability on March 15, 2026, after receiving a report from an external security researcher. The company developed a patch within 72 hours and began rolling out the security updates on March 18, 2026.
Organizations unable to immediately apply patches should consider implementing network segmentation and monitoring for unusual kernel activity as temporary mitigations.
Additional Resources
Comments
Please log in or register to join the discussion