HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45657Published Modified CNA microsoft

CVE-2026-45657: Windows Kernel Remote Code Execution Vulnerability

Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
10.0.20348.5256
Affected Products
8

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Windows Kernel allows an unauthenticated remote attacker to execute arbitrary code on affected systems. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is reachable over the network, requires no credentials, no user interaction, and succeeds reliably without special conditions. Successful exploitation gives the attacker full control over the affected system, including read and write access to kernel memory and the ability to disrupt service availability. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows builds.

HarborGuard Coverage

Detection

Detection for CVE-2026-45657 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Windows-based container images. Any image running an affected Windows build version falls within the scope of this detection capability.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each customer organization's compliance policy to determine urgency and routing. Triage results are routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fix versions (10.0.20348.5256, 10.0.22631.7219, 10.0.26100.8655, 10.0.26100.32995, or 10.0.26200.8655 depending on the affected product) becomes available on HarborGuard for environments running an affected build. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected service over a standard network connection; no local or physical access is required.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the vulnerability is exploitable by an anonymous attacker.

  • Victim interactionNot required

    No user action is required; exploitation occurs without any interaction from a logged-in user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • A successful attacker executes arbitrary code at kernel privilege level, gaining complete control over the operating system.
  • The attacker reads any data accessible to the kernel, including secrets, credentials, and memory belonging to other processes.
  • The attacker modifies kernel data structures, persisted files, and any resource the operating system can write.
  • The attacker crashes or destabilizes the kernel, causing a full system outage for all workloads running on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity CVE is matched against customer images within minutes of publication, covering both Microsoft-supplied base images and custom images built on top of affected Windows builds. For environments running Windows Server 2022, Windows Server 2025, Windows 11 23H2, 24H2, or 25H2 at an affected build number, a patched-image rebuild at the corresponding fix version is available. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with full CVSS context so engineers can act manually. HarborGuard continues to re-check the advisory on each ingest cycle to catch any additional fix versions Microsoft publishes for remaining affected products.

See how HarborGuard automates this

Fix available

10.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References