A critical remote code execution flaw in Microsoft Windows 10 and 11 allows attackers to gain full system control. Immediate patching and verification required.
CVE‑2026‑46156 – Remote Code Execution in Windows 10/11
Impact
A single crafted packet can execute arbitrary code with SYSTEM privileges on affected Windows 10 and 11 machines. The flaw resides in the Windows Kernel’s handling of SMB traffic. Attackers can compromise any device exposed to the network without user interaction.
Technical Details
The vulnerability stems from improper bounds checking in the SMBv3 protocol stack. When a malicious SMB request reaches the kernel, the packet is parsed without verifying the length of a nested structure. A crafted packet can overwrite the return address on the stack, redirecting execution to attacker‑controlled shellcode. The kernel’s memory protection mechanisms are bypassed because the exploit targets the privileged context of the SMB service.
- CVE ID: CVE‑2026‑46156
- Affected Products: Windows 10 21H2 and later, Windows 11 22H2 and later
- CVSS v3.1 Base Score: 9.8 (Critical)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
- Impact: Full system compromise, data exfiltration, persistence
The flaw is exploitable via both IPv4 and IPv6. It does not require administrative credentials or local access. The SMB service is enabled by default on most domain controllers and file servers, making the attack surface large.
Mitigation Steps
- Apply the latest security update. Microsoft released a cumulative update on 2026‑05‑15 that patches the kernel SMB handler. Install the update immediately via Windows Update or WSUS.
- Update package: KB5029731
- Download: Microsoft Update Catalog
- Verify installation. Run
sfc /scannowandDISM /Online /Cleanup-Image /RestoreHealthto ensure the kernel image is intact. - Restrict SMB exposure. If possible, disable SMBv3 on external interfaces or place the affected hosts behind a firewall that blocks inbound SMB traffic.
- Enable SMB signing. This adds a cryptographic check to SMB packets, mitigating replay attacks.
- Monitor for anomalous activity. Use Sysmon or Windows Defender Advanced Threat Protection to detect suspicious SMB traffic patterns.
Timeline
- 2026‑05‑01: Vulnerability discovered by Microsoft Security Response Center.
- 2026‑05‑05: Public advisory released (MSRC‑2026‑46156).
- 2026‑05‑15: Cumulative update KB5029731 published.
- 2026‑05‑20: Patch deployed to 75% of enterprise endpoints.
Immediate Action Required
All administrators must confirm that KB5029731 is installed on every Windows 10/11 device. Devices without the patch are at imminent risk of compromise. If patching is delayed, enforce network segmentation and block SMB traffic from untrusted sources.
Further Resources
- Microsoft Security Update Guide – CVE‑2026‑46156
- KB5029731 Release Notes
- SMB Vulnerability Mitigation Guide
Stay vigilant. Apply the patch now to protect your organization from a critical, remotely exploitable flaw.
Comments
Please log in or register to join the discussion