Urgent: Remote Code Execution in Windows Update Service (CVE‑2026‑46598)

Impact

• Affected products: Windows 10 version 22H2 and later, Windows Server 2022 and later.
• Severity: CVSS 9.8 (Critical).
• Exploit vector: Remote, unauthenticated.
• Potential damage: Full system compromise, data exfiltration, persistence.

Technical Details

The flaw resides in the wuauserv service’s handling of malformed update metadata. A specially crafted XML file can trigger a buffer overflow in the service’s XML parser. The overflow writes to the stack, allowing an attacker to redirect execution flow to arbitrary code. The vulnerability is not mitigated by User Account Control or standard Windows Defender settings.

The attacker only needs to host a malicious update package on a server that a target system will contact during a routine update check. No user interaction is required.

Timeline

• CVE disclosure: 2026‑05‑17.
• Microsoft advisory published: 2026‑05‑18.
• Patch released: 2026‑05‑20 (KB5001234).
• Mitigation deadline: 2026‑06‑07.

Mitigation Steps

1. Check version: Run winver or systeminfo to confirm you are on 22H2 or later.
2. Download the patch: https://support.microsoft.com/kb/5001234.
3. Install immediately: Use Windows Update or manual installer.
4. Verify installation: wmic qfe get HotFixID should list KB5001234.
5. Disable automatic updates temporarily: gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Windows Update → Configure Automatic Updates → Disabled to prevent re‑introduction during rollout.
6. Reboot: Required for the service to reload with the patched code.

Additional Resources

• Microsoft Security Update Guide – CVE‑2026‑46598
• KB5001234 download page
• Windows Update documentation

Conclusion

This vulnerability allows attackers to gain SYSTEM level access without authentication. Apply the patch without delay. Failure to do so exposes your environment to complete compromise.