Microsoft has released a critical patch for CVE-2026-4891, a remote code execution flaw in the SMBv3 protocol on Windows 10. The vulnerability carries a CVSS score of 9.8. All affected systems must apply the update immediately. Read the full guidance below.
CVE-2026-4891 – Remote Code Execution in Windows 10 SMB
Impact
- Affected: Windows 10, version 22H2 and earlier, SMBv3 service.
- Severity: CVSS 9.8 (Critical).
- Risk: An attacker can execute arbitrary code with SYSTEM privileges by sending a crafted SMB packet.
- Timeline: Public disclosure on 2026‑04‑12. Patch released 2026‑04‑18.
Technical Details
The flaw lies in the handling of the SMB_COM_TRANSACTION2 request. A malformed TreeConnect packet bypasses the authentication check, allowing an unauthenticated remote host to trigger a stack buffer overflow. The overflow lands in the kernel, granting the attacker full control of the host. The exploit chain requires only network access to the target’s SMB port (TCP 445) and no credentials.
Mitigation Steps
- Apply the patch. Download the latest cumulative update for Windows 10 from the Microsoft Update Catalog: KB500XXXX.
- Disable SMBv3 if the service is not required. Run
Set-SmbServerConfiguration -EnableSMB2Protocol $falsein PowerShell. - Block inbound SMB traffic on the perimeter firewall. Allow only trusted IP ranges.
- Deploy endpoint protection that blocks anomalous SMB packets. Use Microsoft Defender ATP or a comparable solution.
- Verify that the patch applied by checking the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Security\KB500XXXX.
Additional Resources
- Microsoft Security Update Guide – CVE‑2026‑4891
- SMB Vulnerability Exploit Guide
- Windows Update Catalog – KB500XXXX
Conclusion
The CVE‑2026‑4891 flaw presents a high‑risk vector for attackers. Immediate patching and network hardening are mandatory. Monitor Microsoft advisories for any follow‑up patches or additional mitigations.
Comments
Please log in or register to join the discussion