CVE‑2026‑6477: Remote Code Execution in Windows

Immediate Impact

• Severity: CVSS 9.8 (Critical)
• Affected Systems: Windows 10 versions 1909 through 22H2, Windows Server 2019, 2022, and Windows 11 22H2
• Exploitability: Remote attackers can trigger the flaw via crafted SMB traffic without authentication.

Technical Details

The vulnerability resides in the SMBv3 file‑sharing protocol. A malformed SMB packet bypasses the kernel's bounds checking, allowing a privileged user context to run arbitrary code. The flaw is triggered by a specially crafted SMB2_SESSION_SETUP request that overwrites a pointer in the session context structure.

Attackers can chain this with a DLL injection technique to gain SYSTEM privileges. The kernel‑mode driver srv.sys is the entry point. The flaw is similar to the 2020 SMB Ghost issue but targets a different code path.

Why It Matters

• Zero‑day potential: No public exploit yet, but the code is available to threat actors.
• Enterprise exposure: SMB is enabled by default on most Windows networks.
• Propagation risk: Compromise of one machine can lead to lateral movement.

Mitigation Steps

1. Apply the latest security update from Microsoft. The update is part of the May 2026 cumulative security release.
   • Download from the Microsoft Update Catalog.
2. Disable SMBv3 on non‑essential servers if immediate patching is delayed. Use Group Policy: Computer Configuration → Administrative Templates → Network → LAN Manager Authentication Level → SMBv3 disabled.
3. Enable SMB signing to add integrity checks.
4. Audit SMB traffic with Windows Defender Advanced Threat Protection (ATP) or third‑party IDS.
5. Patch all VMs and containers that run Windows images.

Timeline

• 2026‑04‑15: CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑20: Initial advisory issued; patch development begins.
• 2026‑05‑10: Patch released in cumulative update.
• 2026‑05‑15: Advisory updated with mitigation guidance.

Further Resources

• MSRC Vulnerability Advisory – CVE‑2026‑6477
• Windows Security Update Guide – May 2026
• SMBv3 Documentation
• GitHub – SMB Vulnerability Analysis

Bottom Line

Apply the patch immediately. Disable SMBv3 if patching cannot be applied within 48 hours. Monitor network traffic for suspicious SMB activity. Failure to act exposes your environment to critical remote code execution.