CVE-2026-35422 Overview
CVE-2026-35422 is an authentication bypass vulnerability in the Windows TCP/IP networking stack. An authorized attacker can use an alternate path or channel to bypass a security feature over a network, undermining controls that depend on the stack's protocol validation. The flaw is tracked under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and affects a wide range of supported Windows client and server releases. Microsoft published the advisory on 2026-05-12, and successful exploitation results in a high integrity impact without directly affecting confidentiality or availability.
Critical Impact
An authenticated attacker on the network can bypass a Windows TCP/IP security control and tamper with protected data or system state across most supported Windows versions.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-35422 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-35422
Vulnerability Analysis
The vulnerability resides in the Windows TCP/IP stack, a kernel-mode component (tcpip.sys) responsible for processing IPv4 and IPv6 traffic. An authenticated attacker can submit network traffic that reaches the security feature through an unintended path, bypassing the validation logic that normally enforces the control. Because the impact is on integrity rather than confidentiality or availability, exploitation enables unauthorized modification of protected state without crashing the host or leaking sensitive data. The advisory classifies the flaw under [CWE-288], indicating that the protected functionality remains reachable through a secondary channel the developers did not account for.
Root Cause
The root cause is an alternate code path within Windows TCP/IP that processes network input without enforcing the same authentication or security checks as the primary path. When a request arrives over this secondary channel, the protocol handler does not consult or correctly evaluate the security control, allowing the operation to proceed as though the check had succeeded.
Attack Vector
Exploitation requires network access and low-privileged credentials (PR:L), but no user interaction. The attacker crafts traffic targeting the alternate TCP/IP processing path on a vulnerable host. Once the traffic is accepted, the security feature is bypassed and the attacker can perform actions that integrity controls were designed to prevent. Microsoft has not reported in-the-wild exploitation, and the current EPSS probability is 0.063%.
No public proof-of-concept is available. For protocol-level details, refer to the Microsoft Security Update CVE-2026-35422 advisory.
Detection Methods for CVE-2026-35422
Indicators of Compromise
- Unexpected inbound TCP/IP connections from authenticated low-privilege accounts to hosts that do not normally accept their traffic.
- Successful operations against network services that should have been blocked by the bypassed security feature.
- Anomalous IPv4 or IPv6 packet sequences targeting Windows hosts that diverge from documented protocol behavior.
Detection Strategies
- Correlate authentication events with subsequent network actions to identify activity that bypasses expected security gates.
- Inspect Windows Filtering Platform (WFP) and firewall logs for connections that succeeded despite policies that should have denied them.
- Compare host-level audit logs against network telemetry to detect operations that occurred without the prerequisite security checks.
Monitoring Recommendations
- Monitor Windows Event Logs (Security and System channels) for unusual TCP/IP driver activity and authentication anomalies.
- Track patch deployment status across all listed Windows 10, Windows 11, and Windows Server builds.
- Alert on lateral movement patterns originating from accounts with only low privileges, which match the attacker profile required by this CVE.
How to Mitigate CVE-2026-35422
Immediate Actions Required
- Apply the May 2026 Microsoft security updates to all affected Windows 10, Windows 11, and Windows Server systems as documented in the Microsoft Security Update CVE-2026-35422 advisory.
- Inventory endpoints and servers against the affected CPE list and prioritize internet-facing and high-value hosts for patching first.
- Enforce least privilege on network-accessible accounts to reduce the population of users who satisfy the PR:L precondition.
Patch Information
Microsoft has released security updates for all affected versions through the standard Windows Update and WSUS channels. Patch identifiers and download links are provided per product build in the Microsoft Security Update CVE-2026-35422 advisory. Apply the cumulative update that corresponds to each host's Windows build.
Workarounds
- Restrict TCP/IP exposure by segmenting management interfaces and blocking untrusted networks at the perimeter and host firewall.
- Require strong authentication (for example, multifactor authentication and conditional access) for all accounts capable of establishing network sessions to Windows hosts.
- Where patching is delayed, increase monitoring on affected hosts and limit which authenticated users can reach the vulnerable services.
# Configuration example: verify the relevant cumulative update is installed
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Confirm Windows Firewall is enabled on all profiles to limit alternate-path exposure
Get-NetFirewallProfile | Select-Object Name, Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
