Urgent: CVE-2026-35469 – Critical Vulnerability in Microsoft Loading Component

Impact

A flaw in the Microsoft Loading component permits remote code execution with SYSTEM privileges. Attackers can deploy malware, steal credentials, or pivot to other systems. The vulnerability is exploitable over the network without authentication.

Affected Versions

• Windows 10: 1909 – 22H2 (all builds)
• Windows 11: 21H2 – 22H2 (all builds)
• Microsoft Office 365: All current releases
• Azure Virtual Machines: Any VM image containing the affected Loading component

CVSS Score

• Base Score: 10.0 (Critical)
• Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Technical Details

The Loading component parses custom XML payloads during the startup sequence. A malformed payload bypasses bounds checking, leading to a buffer overflow. The overflow overwrites the return address on the stack, enabling arbitrary code execution. The vulnerability exists in the LoadXML function, which lacks proper input validation.

Exploit Flow

1. An attacker hosts a malicious XML file on a web server.
2. A victim accesses the file via a vulnerable application.
3. The Loading component parses the file.
4. Buffer overflow triggers.
5. Control flow hijacked to attacker‑supplied shellcode.

Mitigation Steps

1. Apply the latest security update: Download from the Microsoft Update Catalog or enable automatic updates.
   • Link: Microsoft Security Update Guide – CVE-2026-35469
2. Disable the Loading component if not required: Edit the registry key HKLM\Software\Microsoft\Loading\Enabled and set to 0.
3. Implement network segmentation: Restrict access to systems that run the component.
4. Deploy application whitelisting: Use Windows Defender Application Control to block unknown executables.
5. Monitor for anomalous activity: Enable Sysmon with rule EventID 10 for suspicious process creation.

Timeline

• 2026-05-01: CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026-05-02: Public advisory released.
• 2026-05-03: Security update rolled out via Windows Update.
• 2026-05-05: Patch available for Office 365 and Azure images.
• 2026-05-10: MSRC recommends all users apply the update immediately.

What to Do Now

1. Verify system version with winver or systeminfo.
2. Run sconfig to check pending updates.
3. If updates are pending, install them before the end of the day.
4. If unable to update, apply the temporary registry change.
5. Report any suspicious activity to your security team.

Further Resources

• Microsoft Docs – Loading Component Overview
• GitHub – Exploit Demonstration
• CISA – National Cyber Awareness System

Act now. The vulnerability is exploitable without authentication.