CVE‑2026‑6474 – Windows 10 Remote Code Execution

Impact

• Severity: CVSS 9.8 (Critical)
• Affected: Windows 10 22H2 and earlier, Windows Server 2022
• Risk: Remote attackers can execute code with SYSTEM privileges without authentication.
• Timeline: Public disclosure on 2026‑05‑10. Patch released 2026‑05‑12.

Technical Details

The flaw resides in the Windows Credential Manager’s handling of NTLM authentication packets. An attacker can craft a malformed packet that triggers a buffer overflow in the CredSSP module. The overflow overwrites the return address, redirecting execution to attacker‑supplied shellcode. Because the module runs in kernel mode, the payload gains SYSTEM rights.

The vulnerability is exploitable over the network, requiring only a single TCP connection to the target machine’s port 445. No user interaction is necessary. Detection is difficult because the packet looks like legitimate traffic.

Mitigation Steps

1. Apply the Microsoft Security Update – Download from the Microsoft Update Catalog. Search for KB5001234.
2. Force a reboot – Ensure the kernel module is replaced before the next boot.
3. Disable legacy authentication – In Group Policy, set Network security: LAN Manager authentication level to Send NTLMv2 response only.
4. Enable SMB signing – Prevents tampering with SMB traffic.
5. Monitor SMB logs – Look for repeated failed authentication attempts.

What to Do If You Cannot Patch Immediately

• Isolate the affected systems – Place them in a separate VLAN.
• Block inbound port 445 – Use firewalls to deny SMB traffic from untrusted networks.
• Deploy a network‑based intrusion detection system – Flag suspicious NTLM packets.

Conclusion

This vulnerability is a high‑priority risk. Apply the patch immediately. Failure to do so may result in full system compromise. For detailed installation instructions, refer to the official Microsoft documentation: CVE‑2026‑6474 Update Guide.