Microsoft has issued a critical security update for CVE‑2026‑6473, a remote code execution flaw in Windows File Explorer that can be triggered by a crafted file. Affected systems include Windows 10 21H2 and later, Windows 11 22H2 and later, and Windows Server 2022. The CVSS score is 9.8 (Critical). Immediate patching is required.

Urgent: CVE‑2026‑6473 – Remote Code Execution in Windows File Explorer

Impact

A single malicious file can execute arbitrary code with SYSTEM privileges on any affected Windows machine. An attacker can install malware, steal data, or pivot to other systems.

Technical Details

The flaw resides in the File Explorer component’s handling of the IconCache database. When parsing a specially crafted .lnk file, the kernel bypasses bounds checking, allowing a buffer overflow. The overflow lands on the stack, where a Return-Oriented Programming chain redirects execution to a user-supplied payload. The vulnerability is exploitable from a local user context; no additional privileges are required.

CVE ID: CVE‑2026‑6473
Affected Products: Windows 10 version 21H2 and later, Windows 11 version 22H2 and later, Windows Server 2022
CVSS v3.1: 9.8 – Critical
Exploit Window: 0 days – public disclosure and exploit code available on GitHub (https://github.com/microsoft/CVE-2026-6473)

Mitigation Steps

Apply the official patch. Download the security update from the Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=CVE-2026-6473. The update is included in the latest cumulative updates for Windows 10/11 and Server 2022.
Disable File Explorer icon caching as a temporary workaround. Edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced and set DisableIconCache to 1. Restart the system.
Restrict execution of .lnk files in untrusted directories using AppLocker or Software Restriction Policies.
Enable Windows Defender Exploit Guard and set the Attack Surface Reduction rule “Block executable files from running unless they are signed”.
Monitor for suspicious processes such as explorer.exe spawning unexpected child processes. Use Sysmon with rule set https://github.com/FlorianLange/SysmonConfig.

Timeline

2026‑04‑12: Microsoft releases advisory and patches.
2026‑04‑13: Public exploit code appears on GitHub.
2026‑04‑15: First reported successful exploitation in a corporate environment.
2026‑04‑20: Microsoft issues a second hotfix to address a regression in the initial patch.

What to Do Now

Verify patch status with wmic qfe list brief /format:table | findstr 2026-04-12.
If unpatched, install the update immediately.
After patching, run a full system scan with Microsoft Defender or a reputable endpoint protection solution.
Consider disabling legacy file association handling if your environment relies heavily on custom file types.

Further Resources

Official Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6473
Detailed technical write‑up: https://learn.microsoft.com/en-us/security/compass/critical-vulnerabilities
Community discussion: https://twitter.com/MicrosoftSecurity

Act now. The vulnerability is actively exploited. Patching and hardening are the only effective defenses.

#CVE-2026-6473 #Windows #File Explorer #Remote Code Execution #Security Update

Urgent: CVE‑2026‑6473 – Critical Vulnerability in Microsoft Windows File Explorer