CVE-2026-35423 Overview
CVE-2026-35423 is an out-of-bounds read vulnerability [CWE-125] in the Microsoft Windows Telnet Client. An unauthorized attacker can leverage the flaw to disclose information over a network when a user is tricked into connecting to a malicious Telnet server. The vulnerability affects a broad range of supported Windows desktop and server editions, including Windows 10, Windows 11, and Windows Server 2012 through Windows Server 2025. Microsoft published the advisory on May 12, 2026 and updated the entry on May 14, 2026.
Critical Impact
A remote attacker controlling a malicious Telnet endpoint can read out-of-bounds memory from the client process, exposing potentially sensitive in-memory data and impacting confidentiality and availability.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) on x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and ARM64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-35423 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-35423
Vulnerability Analysis
The flaw resides in the Windows Telnet Client, the legacy telnet.exe utility used to establish interactive sessions with remote Telnet servers. The component performs an out-of-bounds read while parsing data received from a remote server. When the client reads beyond the bounds of an allocated buffer, the process can return adjacent memory contents to attacker-controlled code paths or terminate unexpectedly.
Exploitation requires user interaction. A victim must initiate a Telnet session to a host controlled by the attacker, who then returns crafted protocol data designed to trigger the read primitive. Successful exploitation impacts confidentiality through information disclosure and availability through possible client crashes. Integrity is not affected.
Root Cause
The vulnerability is classified as CWE-125: Out-of-bounds Read. The Telnet Client fails to correctly validate the length or offset of fields in server-supplied protocol data before reading from a buffer. This results in the process accessing memory outside the bounds of the intended structure.
Attack Vector
The attack vector is network-based but requires user interaction. The attacker stands up a malicious Telnet listener and lures a user to connect, typically through phishing, a malicious link using the telnet:// URI handler, or a compromised internal service. Once the session is established, the server sends malformed option negotiation or response data that triggers the out-of-bounds read in the client.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Update Guide for vendor-supplied technical details.
// No verified proof-of-concept code is available for CVE-2026-35423.
// Refer to the Microsoft Security Update Guide for additional technical details.
Detection Methods for CVE-2026-35423
Indicators of Compromise
- Outbound TCP connections from workstations to TCP port 23 (Telnet), particularly to external or untrusted IP addresses
- telnet.exe process launches initiated from user sessions, browsers, or document handlers via the telnet:// URI scheme
- Unexpected crashes or Windows Error Reporting (WER) entries associated with telnet.exe
Detection Strategies
- Hunt for execution of telnet.exe across managed endpoints and correlate with the destination address and parent process to identify suspicious invocations
- Monitor for telnet:// URI handler activity launched from email clients, browsers, or Office applications, which is a common social-engineering delivery vector
- Alert on application error events (Event ID 1000) where the faulting module belongs to the Telnet Client binary
Monitoring Recommendations
- Log and review egress traffic to TCP/23 at network boundary devices and flag connections to addresses outside an approved allowlist
- Centralize endpoint process and network telemetry to support cross-host correlation when investigating phishing-driven Telnet sessions
- Track patch deployment status for the affected Windows builds and flag endpoints that remain unpatched after the May 2026 update cycle
How to Mitigate CVE-2026-35423
Immediate Actions Required
- Apply the May 2026 Microsoft security updates to all affected Windows 10, Windows 11, and Windows Server systems referenced in the advisory
- Disable the Windows Telnet Client feature on systems that do not have a documented business need for outbound Telnet
- Block outbound TCP/23 at perimeter and internal segmentation firewalls except for explicitly authorized destinations
Patch Information
Microsoft has released security updates addressing CVE-2026-35423. Refer to the Microsoft Security Update Guide for CVE-2026-35423 for the specific knowledge base articles and cumulative updates aligned to each supported Windows version.
Workarounds
- Remove the Telnet Client optional feature using Disable-WindowsOptionalFeature or the Server Manager removal workflow on systems where it is not required
- Restrict the telnet:// URI handler through application control policies to prevent browsers and mail clients from launching telnet.exe
- Replace any remaining operational use of Telnet with SSH to eliminate exposure to malicious Telnet servers
# Disable the Windows Telnet Client feature (run as Administrator)
Disable-WindowsOptionalFeature -Online -FeatureName TelnetClient
# Verify the feature is no longer enabled
Get-WindowsOptionalFeature -Online -FeatureName TelnetClient
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
