CVE-2022-26915 Overview
CVE-2022-26915 is a denial of service vulnerability in the Windows Secure Channel (Schannel) Security Support Provider. The flaw affects the component responsible for implementing Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols on Windows. A remote, unauthenticated attacker can send crafted network traffic to a vulnerable system and disrupt the availability of services that rely on Schannel for secure communications. Microsoft issued the security update on April 12, 2022, and the entry was published to the National Vulnerability Database (NVD) on April 15, 2022. The vulnerability affects a wide range of Windows client and server releases, from Windows 7 through Windows 11 and Windows Server 2008 through Windows Server 2022.
Critical Impact
Remote attackers can trigger a denial of service against any service relying on Windows Secure Channel for TLS/SSL termination, including IIS, Remote Desktop Gateway, Active Directory Federation Services, and LDAPS endpoints.
Affected Products
- Microsoft Windows 10 (1607, 1809, 1909, 20H2, 21H1, 21H2) and Windows 11 (x64, ARM64)
- Microsoft Windows 7 SP1, Windows 8.1, and Windows RT 8.1
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and 2022
Discovery Timeline
- 2022-04-15 - CVE-2022-26915 published to the NVD
- 2024-11-21 - Last updated in the NVD database
Technical Details for CVE-2022-26915
Vulnerability Analysis
The vulnerability resides in Schannel, the Windows Security Support Provider that implements TLS and SSL. Schannel handles cryptographic handshakes, certificate validation, session establishment, and record-layer processing for any Windows service that negotiates TLS through the Security Support Provider Interface (SSPI). A defect in how Schannel processes specific protocol messages allows a remote attacker to send traffic that forces the service to terminate or stop responding. The Exploit Prediction Scoring System (EPSS) places this issue in the 95th percentile, indicating elevated probability of exploitation activity relative to most CVEs. The attack requires no authentication, no user interaction, and originates over the network. Confidentiality and integrity are not affected, but availability impact is high because Schannel underpins critical Windows network services.
Root Cause
Microsoft has not published a technical root-cause analysis for CVE-2022-26915. The advisory describes the flaw as a denial of service condition in Secure Channel without disclosing the specific code path or message type involved. The Common Weakness Enumeration entry is recorded as NVD-CWE-noinfo, indicating insufficient public data to map the issue to a specific weakness class.
Attack Vector
An attacker reaches the vulnerability by establishing a network connection to any service that uses Schannel for TLS negotiation. Common targets include HTTPS endpoints served by Internet Information Services (IIS), LDAP over SSL (LDAPS) on domain controllers, Remote Desktop Gateway, Exchange Server transport endpoints, and SMB connections using TLS encryption. The attacker sends crafted handshake or record-layer data that Schannel mishandles, causing the consuming process or the Local Security Authority Subsystem Service (LSASS) to stop processing further TLS sessions. No credentials, prior access, or user action are required.
// No verified public proof-of-concept code is available for CVE-2022-26915.
// Refer to the Microsoft Security Response Center advisory for vendor-supplied details.
Detection Methods for CVE-2022-26915
Indicators of Compromise
- Unexpected termination or repeated restarts of services that terminate TLS, such as lsass.exe, w3wp.exe, or svchost.exe hosting HTTP.sys
- Schannel error events in the Windows System event log, particularly Event IDs 36874, 36887, and 36888, occurring in bursts from a single source address
- Spikes in inbound TLS handshake failures on port 443, 636, 3389, or other Schannel-protected endpoints from a small number of remote hosts
Detection Strategies
- Correlate Windows event logs with network telemetry to identify malformed TLS handshakes preceding Schannel service crashes
- Build identifications for repeated TLS alert messages or truncated ClientHello records arriving from the same remote endpoint
- Track process crash telemetry on domain controllers, web servers, and gateway hosts to flag exploitation attempts against lsass.exe and IIS worker processes
Monitoring Recommendations
- Forward Schannel and Application event logs to a centralized SIEM and alert on anomalous error frequencies
- Monitor TLS error rates per source IP on perimeter load balancers and reverse proxies fronting Windows servers
- Track patch deployment status across all in-scope Windows builds to confirm the April 2022 security update is installed
How to Mitigate CVE-2022-26915
Immediate Actions Required
- Apply the April 2022 Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2022-26915 to every affected Windows build
- Prioritize patching of internet-facing systems that terminate TLS, including IIS, ADFS, Exchange, and Remote Desktop Gateway hosts
- Patch domain controllers exposing LDAPS, since an LSASS outage disrupts authentication across the domain
Patch Information
Microsoft addressed CVE-2022-26915 in the April 12, 2022 cumulative updates for all supported Windows client and server releases. Each affected build receives its own KB article, listed in the Microsoft Security Update Guide. Administrators should validate that the relevant monthly rollup or security-only update is present on every system that runs an affected Windows version.
Workarounds
- No vendor-supplied workaround is documented; patching is the supported remediation
- Restrict exposure of TLS-terminating Windows services to trusted networks using firewall rules until updates are applied
- Place a TLS-terminating reverse proxy or load balancer in front of vulnerable Schannel endpoints to absorb malformed handshakes
# Verify the April 2022 cumulative update is installed (run in PowerShell)
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Confirm Schannel is the active TLS provider and review its event history
Get-WinEvent -LogName System -FilterXPath "*[System[Provider[@Name='Schannel']]]" -MaxEvents 50
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
