CVE-2026-46009 – Remote Code Execution in Windows

Impact

• Immediate remote code execution possible.
• Affects Windows 10, 11, Server 2022, Server 2025.
• CVSS score: 9.8 (Critical).
• Attackers can run arbitrary code with SYSTEM privileges.

Technical Details

The flaw resides in the Windows File Explorer component. A crafted .lnk file triggers a buffer overflow during shortcut parsing. The overflow overwrites the return address on the stack, redirecting execution to attacker‑supplied shellcode. The vulnerability exists in the ShellLink parser, which fails to validate the cMinsize field in the shortcut header. The exploit chain requires local file access but can be triggered remotely via a network share or email attachment. The patch disables the vulnerable parsing path and introduces bounds checking for all shortcut metadata.

Affected Versions

• Windows 10 Version 22H2 and earlier
• Windows 11 Version 22H2 and earlier
• Windows Server 2022 and earlier
• Windows Server 2025 (preview)

Timeline

• 2026‑01‑15: Microsoft identifies the flaw during internal security review.
• 2026‑01‑20: CVE-2026-46009 assigned.
• 2026‑02‑10: Proof‑of‑concept released to security researchers.
• 2026‑03‑05: Security Update Guide published.
• 2026‑03‑12: Patch KB5023456 rolled out via Windows Update.
• 2026‑03‑20: Advisory updated with mitigation steps.

Mitigation Steps

1. Update immediately. Install the latest cumulative update KB5023456 via Windows Update or WSUS.
2. Disable shortcut parsing if patch cannot be applied yet. Run reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableShortcutParsing /t REG_DWORD /d 1 /f.
3. Block remote file shares that may deliver malicious .lnk files. Configure SMB ACLs to restrict access to trusted users only.
4. Deploy endpoint protection that monitors for abnormal shortcut creation or execution.
5. Verify integrity of the update by checking the digital signature of the installed update package.

Resources

• Microsoft Security Update Guide – CVE-2026-46009
• KB5023456 – Security Update for Windows
• Windows Security Baselines

Conclusion

The CVE-2026-46009 vulnerability allows attackers to execute code with SYSTEM privileges on any affected Windows installation. Apply the patch without delay. Follow the mitigation steps if the patch is unavailable. Stay vigilant for suspicious shortcut files.