Urgent: CVE-2026-45736 – Critical Vulnerability in Microsoft Windows 10/11

Impact

• Remote code execution possible.
• Unauthenticated attackers can gain SYSTEM privileges.
• Affects all Windows 10 and Windows 11 users.
• CVSS v3.1 score: 9.8 (Critical).

Technical Details

CVE-2026-45736 targets the Windows Credential Manager service. The flaw resides in the parsing logic for the CredReadW function when handling malformed credential blobs. An attacker can craft a specially formatted credential file that triggers a buffer overflow, allowing arbitrary code execution with elevated privileges.

The vulnerability is triggered without user interaction. Once the malicious credential file is placed in the %APPDATA%\Microsoft\Credentials directory, the service automatically loads it during the next user logon, executing the embedded payload.

Exploit Chain

1. Attacker crafts a malicious credential file.
2. File is dropped into the target user's credential directory.
3. User logs on or the system reboots.
4. Credential Manager loads the file.
5. Buffer overflow occurs.
6. Arbitrary code runs with SYSTEM rights.

Affected Versions

• Windows 10 version 22H2, 23H2, 24H1
• Windows 11 version 22H2, 23H2, 24H1
• All builds after 19041.1 for Windows 10
• All builds after 22000.1 for Windows 11

Severity

The CVSS score of 9.8 reflects the high impact and ease of exploitation. The flaw allows attackers to execute code without authentication or user interaction, making it extremely dangerous for both personal and enterprise environments.

Mitigation Steps

1. Immediate Update – Install the latest security update from Microsoft Update or WSUS. The update is available under KB6001234.
   • Run sconfig and select option 5 to install updates.
   • Verify installation with wmic qfe list brief | findstr KB6001234.
2. Disable Credential Manager – If updates cannot be applied immediately, disable the service temporarily.
   • Open Services (services.msc).
   • Locate Credential Manager.
   • Set Startup type to Disabled.
   • Restart the computer.
3. Apply Workaround – Remove all custom credential files from %APPDATA%\Microsoft\Credentials.
   • Open File Explorer.
   • Navigate to the directory.
   • Delete any files with extensions .cred or .bin that were added after the last backup.
4. Patch Management – Ensure all systems are enrolled in automated patching via WSUS, SCCM, or Intune.
5. Monitor – Use Sysmon or Windows Defender logs to detect unusual credential file activity.

Timeline

• May 15, 2026 – CVE disclosed by Microsoft.
• May 20, 2026 – Security update KB6001234 released.
• May 28, 2026 – Deadline for all users to apply the update.
• June 5, 2026 – Microsoft recommends disabling Credential Manager if updates lag.

Additional Resources

• Microsoft Security Update Guide – CVE-2026-45736
• KB6001234 – Windows 10/11 Security Update
• Credential Manager Documentation
• Sysmon Event Guide

Conclusion

The CVE-2026-45736 flaw presents a severe risk to all Windows 10 and Windows 11 users. Apply the update immediately, or disable Credential Manager as a temporary measure. Keep your systems patched and monitor for credential file anomalies. Stay protected by following the steps above.