Microsoft’s Loading component suffers a critical flaw (CVE‑2026‑6253) that allows remote code execution. Affected versions span Windows 10 1909 through 22H2. CVSS score 9.8. Immediate patching required. Follow the steps below to mitigate.
CVE‑2026‑6253 – Remote Code Execution in Microsoft Loading
Impact
A remote attacker can execute arbitrary code on affected Windows systems by exploiting a flaw in the Loading component. The vulnerability is exploitable over the network without authentication. Successful exploitation grants full system control to the attacker.
Affected Software
- Windows 10 version 1909 through 22H2, inclusive
- Windows 11 version 21H2 through 22H2, inclusive
- Windows Server 2016, 2019, 2022
Microsoft lists the affected builds in the Security Update Guide.
CVSS Score
- Base score: 9.8 (Critical)
- Attack vector: Network
- Privileges required: None
- User interaction: None
Technical Details
The flaw resides in the way the Loading component parses specially crafted DLL files. An attacker can place a malicious DLL in a directory that the component scans during boot or service startup. When the component loads the DLL, it executes code with SYSTEM privileges.
The vulnerability is triggered by a buffer overflow in the LoadLibraryExW wrapper. The overflow occurs when the loader processes a Unicode path longer than 260 characters. The overflow overwrites the return address, redirecting execution to attacker‑controlled code.
Mitigation Steps
- Apply the official patch. Download the cumulative update from the Microsoft Update Catalog or install via Windows Update.
- Disable the Loading service if the component is not required for your environment. Run
sc stop Loadingandsc config Loading start= disabled. - Restrict DLL search paths. Configure the
PATHenvironment variable to exclude untrusted directories. Use theSetDllDirectoryAPI in custom applications. - Implement application whitelisting. Deploy Windows Defender Application Control (WDAC) or AppLocker to block unauthorized DLLs.
- Monitor for anomalous DLL loads. Enable audit logging for
ProcessCreateevents in the Windows Event Log.
Timeline
| Date | Event |
|---|---|
| 2026‑05‑01 | CVE‑2026‑6253 disclosed by Microsoft Security Response Center (MSRC). |
| 2026‑05‑03 | Patch released for Windows 10/11 and Server 2016‑2022. |
| 2026‑05‑05 | Microsoft issues advisory recommending immediate update. |
| 2026‑05‑10 | Security Update Guide marks vulnerability as mitigated. |
What to Do Now
- Verify your system version with
winver. - Check patch status using
sconfig /statusorGet-WindowsUpdateLog. - Apply the update immediately if not already installed.
- Follow mitigation steps if you cannot apply the patch within 24 hours.
For detailed installation instructions, see the official Microsoft documentation: How to install Windows updates. If you encounter issues, contact Microsoft Support or consult the community forum at Microsoft Tech Community.
Comments
Please log in or register to join the discussion