A critical remote code execution flaw in Microsoft Windows 10 and 11 allows attackers to execute arbitrary code with SYSTEM privileges. Affected builds from 1909 onward are vulnerable. Immediate patching and configuration changes are required.
CVE-2026-34956 – Critical Remote Code Execution in Windows 10/11
Impact
A single malicious payload can run with SYSTEM rights on any Windows 10 or 11 machine. Attackers can install malware, steal data, or pivot to other systems.
Affected Products
- Windows 10, version 1909 and later, all builds
- Windows 11, all builds
- Windows Server 2019 and later
CVSS Score
- Base Score: 9.8 (Critical)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
Technical Detail
The flaw lies in the Windows User Account Control (UAC) subsystem. A crafted COM object bypasses the integrity level check during the token‑impersonation step. When a user launches a benign application, the COM object injects a payload that escalates privileges without user consent.
The vulnerability is triggered by a specially crafted .lnk file placed in a shared folder. When a user opens the link, the UAC prompt is suppressed, and the payload executes with SYSTEM rights. The exploit chain requires only network access to the target machine.
Mitigation Steps
- Apply the latest cumulative update from the Microsoft Update Catalog. The patch is available for all affected builds.
- Disable the UAC prompt for COM objects by setting the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAto0as a temporary measure, then re‑enable after patching. - Block inbound SMB traffic (ports 445, 139) from untrusted networks using firewalls or network segmentation.
- Enable Windows Defender Exploit Guard and set the Attack Surface Reduction rule for
Block executable files from running unless they meet a trusted path requirement. - Run a full system scan with the latest Microsoft Defender signatures.
Timeline
- 2026‑04‑12 – CVE disclosed publicly by Microsoft Security Response Center (MSRC).
- 2026‑04‑15 – Patch released via Windows Update.
- 2026‑04‑20 – Advisory issued to IT departments.
- 2026‑04‑25 – Microsoft recommends immediate patching.
How to Verify
After installing the update, run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth. Verify the registry key EnableLUA is set to 1. Ensure no unauthenticated SMB shares are exposed.
Further Resources
- Microsoft Security Update Guide – CVE‑2026‑34956
- Windows Defender Exploit Guard documentation
- Windows Update Catalog – Search for CVE‑2026‑34956
Act now. Apply the patch, lock down SMB, and verify UAC settings. Failure to do so exposes every Windows machine in the network to remote code execution.
Comments
Please log in or register to join the discussion