CVE-2026-35424 Overview
CVE-2026-35424 is a memory leak vulnerability in the Windows Internet Key Exchange (IKE) Protocol implementation. The flaw stems from missing release of memory after its effective lifetime [CWE-401], allowing an unauthenticated remote attacker to exhaust system memory by sending crafted IKE traffic. Successful exploitation results in denial of service on affected Windows clients and servers. The vulnerability affects a broad range of supported Windows 10, Windows 11, and Windows Server releases. Microsoft published the advisory on May 12, 2026.
Critical Impact
An unauthenticated attacker can remotely trigger a memory leak in the IKE protocol stack, causing service degradation or full denial of service across affected Windows systems.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
- Microsoft Windows Server 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-35424 published to NVD
- 2026-05-12 - Microsoft releases security update for CVE-2026-35424
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-35424
Vulnerability Analysis
The Internet Key Exchange (IKE) protocol negotiates security associations for IPsec and runs over UDP ports 500 and 4500 on Windows. The implementation fails to release memory allocated during the processing of certain IKE messages once those allocations are no longer needed. Each malformed or specifically crafted IKE packet leaks a small region of kernel or service memory.
When attackers repeat the request at scale, the leaked memory accumulates until the system becomes unresponsive. The vulnerability requires no authentication, no user interaction, and can be triggered across the network, making it suitable for remote denial of service against VPN concentrators, domain-joined servers, and any host exposing IKE.
Root Cause
The defect is classified as [CWE-401] Missing Release of Memory after Effective Lifetime. A code path in the IKE protocol handler allocates buffers or context structures during message parsing but lacks a matching free operation on specific error or state-transition paths. Each unhandled flow contributes incrementally to memory exhaustion.
Attack Vector
The attack is delivered over the network. An attacker reachable on UDP/500 or UDP/4500 sends a stream of crafted IKE packets that exercise the leaking code path. No credentials or prior session state are required. Hosts exposing IKE to untrusted networks, including Always On VPN gateways and RAS servers, are the most exposed. No public proof-of-concept or in-the-wild exploitation has been reported, and the EPSS data indicates a low near-term exploitation probability.
No verified exploit code is publicly available for CVE-2026-35424. See the Microsoft Security Update CVE-2026-35424 advisory for vendor technical details.
Detection Methods for CVE-2026-35424
Indicators of Compromise
- Sustained inbound UDP traffic to ports 500 and 4500 from a small number of external sources at abnormal volumes.
- Steadily increasing non-paged pool or working set size on IKEEXT service host (svchost.exe hosting the IKEEXT service) without corresponding workload change.
- Repeated IKE negotiation failures recorded in the IKE/AuthIP operational event logs.
Detection Strategies
- Monitor the IKEEXT service memory footprint over time and alert on monotonic growth that does not plateau.
- Correlate firewall logs for high-rate UDP/500 and UDP/4500 traffic from single sources against IKE error event IDs in Microsoft-Windows-IKEEXT/Operational.
- Hunt for repeated Main Mode or Quick Mode negotiation failures preceding service crashes or host unresponsiveness.
Monitoring Recommendations
- Enable IPsec and IKE auditing through Windows Filtering Platform (WFP) and forward logs to a central analytics platform.
- Track per-process memory counters for the IKEEXT service host and trigger alerts on threshold breaches.
- Capture NetFlow or packet samples on perimeter devices terminating IKE traffic to identify rate anomalies.
How to Mitigate CVE-2026-35424
Immediate Actions Required
- Apply the May 2026 Microsoft security update referenced in the Microsoft Security Update CVE-2026-35424 advisory to all affected Windows 10, Windows 11, and Windows Server systems.
- Inventory all hosts exposing UDP/500 and UDP/4500 to untrusted networks and prioritize them for patching.
- Validate that VPN gateways and domain controllers are included in the patch wave.
Patch Information
Microsoft released a security update for CVE-2026-35424 on May 12, 2026. The fix corrects the IKE protocol handler so that memory allocated during message processing is released on all execution paths. Refer to the Microsoft Security Update CVE-2026-35424 advisory for the build numbers and KB articles that apply to each affected SKU.
Workarounds
- Restrict inbound UDP/500 and UDP/4500 at the network perimeter to known VPN peer addresses where IKE is not required from arbitrary sources.
- Disable the IKE and AuthIP IPsec Keying Modules (IKEEXT) service on hosts that do not require IPsec, after confirming no dependent workloads.
- Apply rate limiting to IKE traffic on edge firewalls to slow memory consumption while patches are deployed.
# Example: block inbound IKE traffic except from a trusted peer using Windows Firewall
New-NetFirewallRule -DisplayName "Block IKE except trusted peer" `
-Direction Inbound -Protocol UDP -LocalPort 500,4500 `
-RemoteAddress Any -Action Block
New-NetFirewallRule -DisplayName "Allow IKE from trusted peer" `
-Direction Inbound -Protocol UDP -LocalPort 500,4500 `
-RemoteAddress 203.0.113.10 -Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
