PT-2026-32883 · Microsoft · Windows 10+1
Published
2026-04-14
·
Updated
2026-06-30
·
CVE-2026-33824
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Microsoft Windows 10 versions 10.0.14393.0 through 10.0.14393.9059
Microsoft Windows 10 (affected versions not specified)
Microsoft Windows 11 (affected versions not specified)
Microsoft Windows Server versions 2012 through 2025
Description
A double-free memory corruption flaw exists in the Windows Internet Key Exchange (IKE) Extension. This issue occurs when the IKE service processes malformed vendor-extension attributes during security association negotiation, leading to a synchronization failure in the cleanup logic that attempts to free the same memory buffer twice. An unauthenticated remote attacker can exploit this by sending specially crafted IKEv2 negotiation packets to UDP ports 500 or 4500. Successful exploitation allows the attacker to overwrite kernel function pointers and execute arbitrary code with SYSTEM privileges without user interaction. This flaw is described as wormable and has been observed being weaponized via automated scanning botnets to bypass VPN gateways and enterprise perimeters.
Recommendations
Apply the April 2026 Microsoft Patch Tuesday cumulative security updates to all affected Windows 10, 11, and Server (2012–2025) systems.
As a temporary workaround, disable the
IKEEXT (IKE and AuthIP IPsec Keying Modules) service.
Restrict inbound traffic on UDP ports 500 and 4500 to only allow known, trusted peer IP addresses.Fix
RCE
DoS
Double Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Windows
Windows 10