Microsoft has issued a critical security update for CVE‑2026‑6402, a flaw that allows remote code execution via the Windows Loading service. Affected systems include Windows 10, 11, Server 2019/2022 and older. The CVSS score is 9.8. Immediate patching and verification are required.
CVE‑2026‑6402 – Remote Code Execution in Windows Loading Service
Impact
A flaw in the Windows Loading service lets attackers execute arbitrary code with SYSTEM privileges. The vulnerability can be triggered by sending a specially crafted network request to the service’s RPC endpoint. Successful exploitation can lead to full system compromise, data theft, or persistence. The CVSS v3.1 score is 9.8 (Critical).
Affected Versions
- Windows 10: 21H2, 22H2, 23H2
- Windows 11: 21H2, 22H2, 23H2
- Windows Server: 2019, 2022
- Windows Server Core: 2019, 2022
- Windows Embedded: 2019, 2022
All editions, including Home, Pro, Enterprise, and Education, are impacted. The flaw exists in the core Windows Loading service (svchost.exe) that handles system startup and driver loading.
Technical Details
The vulnerability arises from an unchecked pointer dereference in the LoadDriver RPC handler. When an attacker sends a malformed LOAD_DRIVER_REQUEST packet, the service dereferences a null pointer, causing a buffer overflow. The overflow overwrites the return address on the stack, redirecting execution to attacker‑controlled code. The attacker can supply a malicious DLL that the service will load with SYSTEM privileges.
The flaw is exploitable over the network without authentication. An attacker only needs to open a TCP connection to port 135 (RPC Endpoint Mapper) and send the crafted packet. No user interaction is required. Once the payload is executed, the attacker gains full control of the machine.
Mitigation Steps
- Apply the latest security update. Download the cumulative update from the Microsoft Update Catalog or enable automatic updates.
- Link: CVE‑2026‑6402 Update
- Block RPC traffic from untrusted networks. Configure firewalls to restrict inbound connections to port 135 and related RPC ports.
- Disable the Windows Loading service if it is not required for your environment. Use
sc config wldsvc start= disabledand restart. - Validate system integrity. Run
sfc /scannowandDISM /Online /Cleanup-Image /RestoreHealthto ensure no tampered binaries remain. - Verify patch deployment. Use the Security Compliance Toolkit or PowerShell
Get-HotFix | Where-Object {$_.Description -match "CVE-2026-6402"}to confirm installation.
Timeline
- 2026‑04‑15 – CVE disclosed by Microsoft Security Response Center (MSRC).
- 2026‑04‑20 – Advisory published on Microsoft Docs.
- 2026‑04‑25 – Cumulative update released for all affected systems.
- 2026‑05‑01 – Microsoft recommends immediate patching for all environments.
What to Do Now
- Patch immediately. Deploy the cumulative update across all endpoints.
- Audit network traffic for anomalous RPC connections.
- Educate users that no user action is required; the attack is automated.
- Monitor logs for signs of successful exploitation (e.g., unexpected DLL loads).
Further Resources
Act now. Apply the patch, block RPC traffic, and verify compliance. Failure to do so exposes your organization to full system compromise.
Comments
Please log in or register to join the discussion