CVE-2026-33827

Name of the Vulnerable Software and Affected Versions Microsoft Windows 10 versions 10.0.14393.0 through 10.0.14393.9059 Microsoft Windows 10 (affected versions not specified) Microsoft Windows 11 (affected versions not specified) Microsoft Windows Server 2019 (affected versions not specified) Microsoft Windows Server 2022 (affected versions not specified) Microsoft Windows Server 2025 (affected versions not specified)

Description A race condition in the Windows TCP/IP stack, specifically within the kernel-mode driver tcpip.sys, allows an unauthorized remote attacker to execute arbitrary code with System-level privileges. The issue occurs during the reassembly of fragmented IPv6 packets when IPSec is enabled. A race condition exists between the thread verifying IPSec signatures and the thread managing the fragment reassembly buffer. By sending concurrent streams of malformed IPv6 fragments, an attacker can trigger a Use-After-Free or Double-Free condition in the reassembly buffer, allowing the injection of a malicious payload into kernel memory. This is a zero-click exploit that bypasses user-mode firewalls and Endpoint Detection and Response (EDR) hooks.

Recommendations For Windows 10 version 10.0.14393.0 through 10.0.14393.9059, deploy the April 2026 Cumulative Update and perform a full system restart. For Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025, deploy the April 2026 Cumulative Update and perform a full system restart. As a temporary mitigation, configure edge firewalls to drop all incoming IPv6 traffic with Fragment Extension Headers (Header Type 44). As a temporary mitigation, disable IPSec if it is not strictly required for internal communication. As a temporary mitigation, run the command netsh int ipv6 set global reassemblylimit=0 in an elevated prompt to limit reassembly risks.