ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-32161 — Windows Native WiFi Miniport Driver Race Condition Enables Adjacent Network RCE

A brief summary of CVE-2026-32161, a race condition and use after free vulnerability in the Windows Native WiFi Miniport Driver that allows unauthenticated remote code execution from an adjacent network. Includes patch details and affected version information.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Quick Look: CVE-2026-32161 — Windows Native WiFi Miniport Driver Race Condition Enables Adjacent Network RCE
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A race condition in the Windows Native WiFi Miniport Driver, patched in Microsoft's May 2026 Patch Tuesday, allows an unauthenticated attacker on an adjacent network to achieve remote code execution in kernel context. With Windows 11 and Windows 10 collectively accounting for nearly 99 percent of the desktop OS market, any device that connects to a shared or untrusted wireless network is a potential target for this flaw.

Technical Information

The vulnerability resides in nwifi.sys, the kernel mode Windows Native WiFi Miniport Driver. This component is part of the Native WiFi stack, which consists of drivers and wireless APIs that interact with wireless miniports and the supporting user mode Wlansvc service. Two weaknesses combine to create the exploitable condition:

CWE-362 (Race Condition): Concurrent execution using a shared resource with improper synchronization. Within the driver, multiple threads can access the same memory object without adequate locking or synchronization primitives.

CWE-416 (Use After Free): One thread frees a memory object while another thread still holds a reference to it and continues to use it. This leaves a dangling pointer that, if dereferenced, can lead to arbitrary code execution.

This is a classic TOCTOU (Time of Check to Time of Use) scenario in driver code. A concurrent code path within the driver was accessing a memory object that could be freed by another thread. An attacker who can influence the timing of these operations and control the contents of the freed memory region can redirect execution flow.

CVSS Vector Breakdown

The full CVSS 3.1 vector is AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 7.5 (High).

Adjacent Network (AV:A): The attacker must be on the same network segment as the target. This cannot be performed across routed boundaries; the attacker must share the same network switch or virtual network. Shared WiFi environments (corporate offices, hotels, airports, conferences) represent the primary attack surface.

High Attack Complexity (AC:H): Exploitation requires winning a race condition. The specific timing conditions and network configurations needed are not fully within the attacker's control, making reliable exploitation across diverse environments difficult.

No Privileges Required (PR:N) and No User Interaction (UI:N): The attacker does not need any credentials on the target system, and no action from the victim is required.

Full CIA Impact (C:H/I:H/A:H): A successful exploit yields complete compromise of confidentiality, integrity, and availability, consistent with kernel level code execution.

Attack Flow

Based on the vulnerability characteristics, an attacker would need to:

  1. Position themselves on the same network segment as the target (e.g., join the same WiFi network).
  2. Send specially crafted wireless frames or network traffic that triggers the vulnerable code path in the WiFi miniport driver.
  3. Race the timing of concurrent operations within the driver to cause the use after free condition, where one thread frees a memory object while another thread still references it.
  4. Control the contents of the freed memory (e.g., through heap spraying or similar techniques) so that when the dangling pointer is dereferenced, execution is redirected to attacker controlled code.
  5. Achieve arbitrary code execution in kernel context on the target system.

The high attack complexity rating reflects the difficulty of step 3: reliably winning the race across different hardware configurations, driver versions, and system loads.

Patch Information

Microsoft released an official fix for CVE-2026-32161 as part of the May 12, 2026 Patch Tuesday cumulative security updates. The remediation level is classified as "Official Fix," meaning a complete vendor solution is available.

Because nwifi.sys is a closed source kernel mode driver, no source level diff is publicly available. However, the nature of the fix can be inferred from the listed weaknesses: the patch corrects improper synchronization around shared resources within the WiFi miniport driver. The update adds proper locking or reference counting to ensure the memory object remains valid throughout its use, eliminating the dangling pointer that an adjacent network attacker could race to exploit.

The fix spans a wide range of Windows versions. Below are the key Knowledge Base articles and their corresponding patched build numbers:

Product FamilyKB ArticlePatched Build
Windows 11 26H1 (x64 / ARM64)KB508954810.0.28000.2113
Windows 11 25H2 / 24H2 (x64 / ARM64)KB5089549 (+ Hotpatch KB5089466)10.0.26100.8457 / 10.0.26200.8457
Windows 11 23H2 (x64 / ARM64)KB508742010.0.22631.7079
Windows 10 22H2 / 21H2 (32 bit / x64 / ARM64)KB508754410.0.19045.7291 / 10.0.19044.7291
Windows 10 1809 (32 bit / x64)KB508753810.0.17763.8755
Windows 10 1607 (32 bit / x64)KB508753710.0.14393.9140
Windows Server 2025 (incl. Server Core)KB5087539 (+ Hotpatch KB5087423)10.0.26100.32860
Windows Server 2022 (incl. Server Core)KB508754510.0.20348.5139
Windows Server 2022 23H2 (Server Core)KB508754110.0.25398.2330
Windows Server 2019 (incl. Server Core)KB508753810.0.17763.8755
Windows Server 2016 (incl. Server Core)KB508753710.0.14393.9140
Windows Server 2012 R2 (incl. Server Core)KB50874716.3.9600.23181
Windows Server 2012 (incl. Server Core)KB50874706.2.9200.26079

All updates are rated Critical and marked as "Customer Action Required." For Windows 11 24H2/25H2 and Windows Server 2025, Microsoft also provides a Security Hotpatch option (KB5089466 and KB5087423 respectively), which allows patching without a full reboot. This is a significant advantage for server environments that need to minimize downtime.

To verify that your systems are patched, compare the OS build number (accessible via winver or systeminfo) against the patched build numbers listed above. Updates are available through Windows Update, WSUS, and the Microsoft Update Catalog.

Network Level Mitigations

For organizations that cannot patch immediately, Cisco Talos has released Snort rules to detect exploitation attempts:

  • Snort 2 SIDs: 1:66438 through 1:66445, 1:66451 through 1:66460, 1:66470 through 1:66476
  • Snort 3 SIDs: 1:301494 through 1:301497, 1:301500 through 1:301506, 1:66472 through 1:66473, 1:66476

Administrators should update their Cisco Security Firewall rulesets and open source Snort Subscriber Rulesets to the latest versions.

Affected Systems and Versions

The vulnerability affects the Windows Native WiFi Miniport Driver (nwifi.sys) across a broad range of Windows client and server versions:

Windows Client:

  • Windows 11 26H1 (x64, ARM64)
  • Windows 11 25H2 (x64, ARM64)
  • Windows 11 24H2 (x64, ARM64)
  • Windows 11 23H2 (x64, ARM64)
  • Windows 10 22H2 (32 bit, x64, ARM64)
  • Windows 10 21H2 (32 bit, x64, ARM64)
  • Windows 10 1809 (32 bit, x64)
  • Windows 10 1607 (32 bit, x64)

Windows Server:

  • Windows Server 2025 (including Server Core)
  • Windows Server 2022 23H2 (Server Core)
  • Windows Server 2022 (including Server Core)
  • Windows Server 2019 (including Server Core)
  • Windows Server 2016 (including Server Core)
  • Windows Server 2012 R2 (including Server Core)
  • Windows Server 2012 (including Server Core)

Any unpatched Windows device with a WiFi adapter that connects to shared, public, or untrusted wireless networks is potentially exposed to adjacent network attackers.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization