PT-2026-32883 · Microsoft · Windows 10+1

Published

2026-04-14

·

Updated

2026-06-30

·

CVE-2026-33824

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Microsoft Windows 10 versions 10.0.14393.0 through 10.0.14393.9059 Microsoft Windows 10 (affected versions not specified) Microsoft Windows 11 (affected versions not specified) Microsoft Windows Server versions 2012 through 2025
Description A double-free memory corruption flaw exists in the Windows Internet Key Exchange (IKE) Extension. This issue occurs when the IKE service processes malformed vendor-extension attributes during security association negotiation, leading to a synchronization failure in the cleanup logic that attempts to free the same memory buffer twice. An unauthenticated remote attacker can exploit this by sending specially crafted IKEv2 negotiation packets to UDP ports 500 or 4500. Successful exploitation allows the attacker to overwrite kernel function pointers and execute arbitrary code with SYSTEM privileges without user interaction. This flaw is described as wormable and has been observed being weaponized via automated scanning botnets to bypass VPN gateways and enterprise perimeters.
Recommendations Apply the April 2026 Microsoft Patch Tuesday cumulative security updates to all affected Windows 10, 11, and Server (2012–2025) systems. As a temporary workaround, disable the IKEEXT (IKE and AuthIP IPsec Keying Modules) service. Restrict inbound traffic on UDP ports 500 and 4500 to only allow known, trusted peer IP addresses.

Fix

RCE

DoS

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-05343
CVE-2026-33824

Affected Products

Windows
Windows 10