Microsoft customers must act immediately to patch CVE-2026-6475, a critical flaw that allows remote code execution in Windows Server 2022 and Windows 11. The update is available through Windows Update and the Microsoft Security Advisory. Failure to apply the fix exposes organizations to high‑risk attacks.
CVE-2026-6475 – Critical Microsoft Vulnerability
Impact
A remote attacker can execute arbitrary code on affected Windows systems. The flaw exists in the Windows Kernel and can be triggered via a specially crafted network packet. Successful exploitation grants the attacker SYSTEM privileges, enabling full control over the target machine.
Affected Products
- Windows Server 2022 (all builds 2022.1 and later)
- Windows 11 (all builds 22H2 and later)
- Windows 10 21H2 and newer
- Windows 10 IoT Enterprise 21H2 and newer
Microsoft has confirmed that the vulnerability is present in the kernel’s network stack, specifically in the handling of TCP/IP options. The flaw is not limited to local users; remote exploitation is possible from any machine on the same network or over the internet if the target is exposed.
CVSS Score
- Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The high impact rating reflects the ability to gain full system control without user interaction.
Technical Details
The kernel’s packet parser does not properly validate the length field of the TCP option header. An attacker can send a packet with a malformed option that causes memory corruption during parsing. The corrupted memory area is then used to overwrite function pointers, leading to arbitrary code execution.
The vulnerability is similar in nature to the classic Windows Kernel Buffer Overflow pattern, but it is unique in that it targets the TCP Option Length field, a rarely abused vector. Attackers can craft a packet using standard tools such as hping3 or custom scripts.
Mitigation Steps
- Apply the Security Update – Download and install the latest cumulative update from Windows Update or the Microsoft Security Advisory. The update is included in the 2026.1 cumulative package.
- Verify Patch Status – Run
powershell "Get-HotFix | Where-Object {\$_.HotFixID -eq 'KB5021234'}"to confirm installation. - Block Untrusted Traffic – If immediate patching is not possible, block inbound TCP traffic on ports 80, 443, and 3389 from untrusted networks using Windows Firewall or a perimeter firewall.
- Monitor for Exploitation – Enable kernel event logging and monitor for unusual
ntoskrnl.exeactivity. Look forEvent ID 4624withLogon Type 3from unfamiliar IPs. - Update Network Devices – Ensure that routers and switches forward only legitimate traffic; consider disabling unused services.
Timeline
- January 12, 2026 – CVE-2026-6475 disclosed by independent researchers.
- January 15, 2026 – Microsoft releases advisory and patch (KB5021234).
- January 20, 2026 – Patch available via Windows Update.
- February 5, 2026 – Microsoft confirms zero successful exploitation reports.
What to Do Now
- Immediate Patch – Apply the cumulative update as soon as possible.
- Audit Systems – Verify that all endpoints are running the patched kernel.
- Educate Users – Remind staff that no user action is required; the flaw is remote.
- Plan for Future – Enable automatic updates and consider a staged rollout to test the patch in a lab environment.
For more information, visit the official Microsoft documentation: CVE-2026-6475 Security Update Guide.
Comments
Please log in or register to join the discussion