Microsoft has released a critical security update for CVE-2026-7790, a remote code execution flaw in Windows 11 and Windows Server 2022. The vulnerability carries a CVSS score of 9.8. All affected systems must apply the patch within 48 hours to prevent potential data loss and system compromise.
CVE-2026-7790 – Remote Code Execution in Windows 11 and Server 2022
Impact
- Severity: CVSS 9.8 (Critical)
- Affected: Windows 11 (all builds), Windows Server 2022 (all editions)
- Risk: Remote attackers can execute arbitrary code with SYSTEM privileges.
- Timeline: Discovered March 12, 2026. Patch released April 15, 2026.
Technical Details
The flaw resides in the Windows Credential Manager subsystem. An attacker can craft a specially formatted credential file that, when loaded by the system, triggers a buffer overflow in the credential parsing routine. The overflow overwrites the return address on the stack, allowing execution of attacker‑supplied shellcode. The vulnerability does not require user interaction; it can be triggered by a malicious file placed in a monitored directory or delivered via a network share.
The exploit chain is straightforward:
- Place a malicious credential file in a monitored folder.
- The system loads the file during normal operation.
- The overflow occurs, granting SYSTEM access.
- The attacker can then pivot to other machines or exfiltrate data.
Mitigation Steps
- Apply the patch immediately. Download the update from the Microsoft Update Catalog or enable automatic updates.
- Windows 11: KB6001234
- Windows Server 2022: KB6001235
- Restrict write access to credential directories for non‑trusted users.
- Enable Credential Guard if available.
- Audit for any anomalous credential files in monitored directories.
- Monitor for unusual SYSTEM processes using Sysmon or equivalent.
How to Verify
Run powershell -Command "Get-HotFix -Id KB6001234" on Windows 11 or KB6001235 on Server 2022. Confirm the installation date is after April 15, 2026.
Further Resources
- Microsoft Security Update Guide – CVE-2026-7790
- KB6001234 – Windows 11 Security Update
- KB6001235 – Windows Server 2022 Security Update
- Sysmon Documentation
Conclusion
This vulnerability is critical and exploitable without authentication. Apply the patch without delay. Monitor systems for signs of compromise. Stay protected by following Microsoft’s guidance and maintaining a strict access policy for credential storage.
Comments
Please log in or register to join the discussion