CVE-2026-45657: Windows 11 23H2 Use-After-Free Vulnerability

CVE-2026-45657 Overview

CVE-2026-45657 is a use-after-free vulnerability in the Microsoft Windows Kernel. The flaw allows an unauthenticated attacker to execute arbitrary code over a network without user interaction. Microsoft has assigned this issue a CVSS v3.1 base score of 9.8 and classified it as critical.

The vulnerability is tracked under CWE-122 (Heap-based memory corruption pattern related to use-after-free conditions). It affects multiple supported releases of Windows 11 and Windows Server. Microsoft released a security update through the Microsoft Security Update Guide.

Critical Impact
Remote, unauthenticated code execution in the Windows Kernel allows attackers to fully compromise affected systems over the network without any user interaction.

Affected Products

Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 26H1) on x64 and ARM64
Microsoft Windows Server 2022
Microsoft Windows Server 2025 (x64)

Discovery Timeline

2026-06-09 - CVE-2026-45657 published to the National Vulnerability Database
2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-45657

Vulnerability Analysis

The vulnerability resides in the Windows Kernel and stems from a use-after-free condition mapped to [CWE-122]. The kernel references a memory object after the allocation backing it has been released. An attacker who triggers the race or state-handling error can reclaim the freed memory with attacker-controlled data.

Because the flaw is reachable over the network and requires no privileges or user interaction, exploitation results in kernel-mode arbitrary code execution. Successful exploitation grants full confidentiality, integrity, and availability impact on the target host.

Root Cause

The root cause is improper object lifetime management inside the Windows Kernel. A kernel code path retains a pointer to an object after the object has been freed. Microsoft has not published the specific component or function involved beyond the advisory description. Refer to the Microsoft Security Update Guide for vendor details.

Attack Vector

The attack vector is network-based. An unauthenticated remote attacker sends crafted traffic to a vulnerable service handled by the kernel. The malicious sequence forces the kernel to dereference a stale pointer, which the attacker uses to redirect execution. No public proof-of-concept or exploit code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability score is 0.137% as of 2026-06-11.

No verified exploit code is publicly available. Refer to the Microsoft
Security Update Guide for vendor-supplied technical details:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45657

Detection Methods for CVE-2026-45657

Indicators of Compromise

Unexpected kernel-mode crashes, bug checks, or BSODs referencing pool corruption or invalid pointer dereference on affected Windows builds.
Anomalous inbound network connections to kernel-handled services followed by process creation under System or services.exe.
New or unsigned drivers loaded shortly after suspicious inbound traffic.
Outbound beaconing or lateral movement initiated by SYSTEM-level processes without a prior interactive session.

Detection Strategies

Monitor Windows Event Logs for repeated Event ID 1001 (BugCheck) entries on hosts exposed to untrusted networks.
Apply network-based identification for unusual protocol payloads targeting SMB, RPC, and other kernel-serviced endpoints.
Correlate kernel crashes with concurrent inbound network sessions using a SIEM or data lake platform.
Hunt for post-exploitation behavior: privilege escalation, credential theft from LSASS, and persistence created by SYSTEM.

Monitoring Recommendations

Enable verbose kernel crash dump collection and forward dumps for analysis on internet-facing servers.
Audit exposure of SMB, RDP, RPC, and other Windows network services to untrusted networks.
Track patch compliance for Windows 11 23H2/24H2/25H2/26H1 and Windows Server 2022/2025 across the fleet.

How to Mitigate CVE-2026-45657

Immediate Actions Required

Apply the Microsoft security update for CVE-2026-45657 to all affected Windows 11 and Windows Server hosts as a priority.
Restrict exposure of Windows network services (SMB, RPC, RDP) at the perimeter and between trust zones until patches are deployed.
Inventory all systems running the affected builds using configuration management or vulnerability scanning tools.
Increase monitoring of kernel crash telemetry and anomalous SYSTEM-initiated activity during the patch window.

Patch Information

Microsoft has issued an official update for this vulnerability. Administrators should consult the Microsoft Security Update CVE-2026-45657 advisory for the specific KB articles and cumulative updates applicable to each Windows version. Deploy through Windows Update, WSUS, Microsoft Intune, or Configuration Manager based on your environment.

Workarounds

Block inbound traffic to Windows kernel-serviced ports from untrusted networks using host and perimeter firewalls.
Segment Windows Server 2022 and Windows Server 2025 hosts handling untrusted traffic into restricted network zones.
Disable unused network roles and services to reduce the kernel attack surface on each host.
Enforce least-privilege network access policies and require VPN or Zero Trust gateways for remote administrative access.

bash

# Example: restrict inbound SMB to trusted subnets on a Windows host
New-NetFirewallRule -DisplayName "Restrict-SMB-Inbound" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 445 `
  -RemoteAddress 10.0.0.0/8 `
  -Action Allow

New-NetFirewallRule -DisplayName "Block-SMB-Inbound-Other" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 445 `
  -Action Block