CVE-2026-42904 Overview
CVE-2026-42904 is a heap-based buffer overflow [CWE-122] in the Windows TCP/IP networking stack. An unauthenticated attacker on an adjacent network can send crafted network traffic to corrupt heap memory in a privileged kernel component. Successful exploitation results in privilege escalation with a scope change, allowing the attacker to impact resources beyond the originally vulnerable component.
The flaw affects multiple supported releases of Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025. Microsoft published the advisory on 2026-06-09 through the Microsoft Security Update Guide.
Critical Impact
Adjacent-network attackers can corrupt kernel heap memory in the Windows TCP/IP stack and elevate privileges without authentication or user interaction.
Affected Products
- Microsoft Windows 10 21H2 and 22H2 (x86, x64, ARM64)
- Microsoft Windows 11 23H2, 24H2, 25H2, and 26H1 (x64, ARM64)
- Microsoft Windows Server 2022 and Windows Server 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-42904 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-42904
Vulnerability Analysis
The vulnerability resides in the Windows TCP/IP stack, which processes IPv4 and IPv6 packets in kernel mode. A heap-based buffer overflow occurs when the stack allocates a kernel heap buffer that is smaller than the data subsequently written into it. The mismatch allows an attacker to overwrite adjacent heap metadata or pointers controlled by the kernel.
Because the vulnerable code path executes in kernel context, corruption of heap structures can be steered into arbitrary write or control-flow hijack primitives. The advisory indicates a scope change, meaning successful exploitation impacts components outside the immediate vulnerable process boundary.
Root Cause
The root cause is improper validation of length fields or option data while parsing network packets in the TCP/IP driver tcpip.sys. Insufficient bounds checking before a memory copy into a fixed-size heap allocation produces the overflow condition classified as [CWE-122].
Attack Vector
Exploitation requires an adjacent network position, such as the same Ethernet broadcast domain, Wi-Fi segment, or virtual subnet. No authentication or user interaction is required. An attacker transmits malformed packets directly to the target, where the TCP/IP stack processes them automatically.
No public proof-of-concept code or exploitation in the wild has been reported. Refer to the Microsoft Security Update Guide for vendor technical detail.
Detection Methods for CVE-2026-42904
Indicators of Compromise
- Unexpected tcpip.sys bug checks (BSOD) or kernel pool corruption events on hosts exposed to untrusted L2 segments.
- Anomalous bursts of malformed IPv4 or IPv6 packets, particularly with crafted IP options or fragmented headers, originating from adjacent hosts.
- New kernel-mode threads or service accounts gaining SYSTEM privileges shortly after suspicious network traffic.
Detection Strategies
- Hunt for Windows Error Reporting entries referencing crashes in tcpip.sys or NETIO.SYS across recently patched and unpatched endpoints.
- Inspect IDS/IPS signatures for malformed IPv6 extension headers, oversized TCP options, and abnormal fragmentation patterns on internal segments.
- Correlate kernel crash telemetry with subsequent process creation events spawned under NT AUTHORITY\SYSTEM to identify post-exploitation activity.
Monitoring Recommendations
- Forward Windows kernel and Microsoft-Windows-TCPIP operational logs to a centralized analytics platform for correlation.
- Baseline normal broadcast and multicast traffic on each VLAN and alert on deviation, especially from unmanaged endpoints.
- Monitor for newly introduced devices on segments containing servers or domain controllers running affected Windows builds.
How to Mitigate CVE-2026-42904
Immediate Actions Required
- Apply the June 2026 Microsoft security updates to all affected Windows 10, Windows 11, and Windows Server systems without delay.
- Prioritize patching of domain controllers, jump hosts, and any server with multiple network interfaces or exposure to untrusted L2 segments.
- Inventory ARM64, x64, and x86 variants of Windows 10 21H2/22H2 and Windows 11 23H2/24H2/25H2/26H1 to ensure complete coverage.
Patch Information
Microsoft has released cumulative updates that address CVE-2026-42904. Download details, KB article numbers, and per-product update packages are listed in the Microsoft Security Update Guide for CVE-2026-42904.
Workarounds
- Segment networks so that critical Windows hosts do not share an L2 broadcast domain with untrusted user or guest devices.
- Enforce 802.1X authentication and disable unused switch ports to limit adjacent-network access required for exploitation.
- Where IPv6 is not in use, disable it on affected interfaces to reduce the parsing surface in tcpip.sys.
- Apply host firewall rules to block unsolicited inbound traffic on management and server VLANs until patches are deployed.
# Example: disable IPv6 on a Windows interface and verify update installation
Set-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6 -Enabled $false
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
