Introduction
A race condition in the Windows Native WiFi Miniport Driver, patched in Microsoft's May 2026 Patch Tuesday, allows an unauthenticated attacker on an adjacent network to achieve remote code execution in kernel context. With Windows 11 and Windows 10 collectively accounting for nearly 99 percent of the desktop OS market, any device that connects to a shared or untrusted wireless network is a potential target for this flaw.
Technical Information
The vulnerability resides in nwifi.sys, the kernel mode Windows Native WiFi Miniport Driver. This component is part of the Native WiFi stack, which consists of drivers and wireless APIs that interact with wireless miniports and the supporting user mode Wlansvc service. Two weaknesses combine to create the exploitable condition:
CWE-362 (Race Condition): Concurrent execution using a shared resource with improper synchronization. Within the driver, multiple threads can access the same memory object without adequate locking or synchronization primitives.
CWE-416 (Use After Free): One thread frees a memory object while another thread still holds a reference to it and continues to use it. This leaves a dangling pointer that, if dereferenced, can lead to arbitrary code execution.
This is a classic TOCTOU (Time of Check to Time of Use) scenario in driver code. A concurrent code path within the driver was accessing a memory object that could be freed by another thread. An attacker who can influence the timing of these operations and control the contents of the freed memory region can redirect execution flow.
CVSS Vector Breakdown
The full CVSS 3.1 vector is AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 7.5 (High).
Adjacent Network (AV:A): The attacker must be on the same network segment as the target. This cannot be performed across routed boundaries; the attacker must share the same network switch or virtual network. Shared WiFi environments (corporate offices, hotels, airports, conferences) represent the primary attack surface.
High Attack Complexity (AC:H): Exploitation requires winning a race condition. The specific timing conditions and network configurations needed are not fully within the attacker's control, making reliable exploitation across diverse environments difficult.
No Privileges Required (PR:N) and No User Interaction (UI:N): The attacker does not need any credentials on the target system, and no action from the victim is required.
Full CIA Impact (C:H/I:H/A:H): A successful exploit yields complete compromise of confidentiality, integrity, and availability, consistent with kernel level code execution.
Attack Flow
Based on the vulnerability characteristics, an attacker would need to:
- Position themselves on the same network segment as the target (e.g., join the same WiFi network).
- Send specially crafted wireless frames or network traffic that triggers the vulnerable code path in the WiFi miniport driver.
- Race the timing of concurrent operations within the driver to cause the use after free condition, where one thread frees a memory object while another thread still references it.
- Control the contents of the freed memory (e.g., through heap spraying or similar techniques) so that when the dangling pointer is dereferenced, execution is redirected to attacker controlled code.
- Achieve arbitrary code execution in kernel context on the target system.
The high attack complexity rating reflects the difficulty of step 3: reliably winning the race across different hardware configurations, driver versions, and system loads.
Patch Information
Microsoft released an official fix for CVE-2026-32161 as part of the May 12, 2026 Patch Tuesday cumulative security updates. The remediation level is classified as "Official Fix," meaning a complete vendor solution is available.
Because nwifi.sys is a closed source kernel mode driver, no source level diff is publicly available. However, the nature of the fix can be inferred from the listed weaknesses: the patch corrects improper synchronization around shared resources within the WiFi miniport driver. The update adds proper locking or reference counting to ensure the memory object remains valid throughout its use, eliminating the dangling pointer that an adjacent network attacker could race to exploit.
The fix spans a wide range of Windows versions. Below are the key Knowledge Base articles and their corresponding patched build numbers:
| Product Family | KB Article | Patched Build |
|---|---|---|
| Windows 11 26H1 (x64 / ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 25H2 / 24H2 (x64 / ARM64) | KB5089549 (+ Hotpatch KB5089466) | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 23H2 (x64 / ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 22H2 / 21H2 (32 bit / x64 / ARM64) | KB5087544 | 10.0.19045.7291 / 10.0.19044.7291 |
| Windows 10 1809 (32 bit / x64) | KB5087538 | 10.0.17763.8755 |
| Windows 10 1607 (32 bit / x64) | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 (incl. Server Core) | KB5087539 (+ Hotpatch KB5087423) | 10.0.26100.32860 |
| Windows Server 2022 (incl. Server Core) | KB5087545 | 10.0.20348.5139 |
| Windows Server 2022 23H2 (Server Core) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2019 (incl. Server Core) | KB5087538 | 10.0.17763.8755 |
| Windows Server 2016 (incl. Server Core) | KB5087537 | 10.0.14393.9140 |
| Windows Server 2012 R2 (incl. Server Core) | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 (incl. Server Core) | KB5087470 | 6.2.9200.26079 |
All updates are rated Critical and marked as "Customer Action Required." For Windows 11 24H2/25H2 and Windows Server 2025, Microsoft also provides a Security Hotpatch option (KB5089466 and KB5087423 respectively), which allows patching without a full reboot. This is a significant advantage for server environments that need to minimize downtime.
To verify that your systems are patched, compare the OS build number (accessible via winver or systeminfo) against the patched build numbers listed above. Updates are available through Windows Update, WSUS, and the Microsoft Update Catalog.
Network Level Mitigations
For organizations that cannot patch immediately, Cisco Talos has released Snort rules to detect exploitation attempts:
- Snort 2 SIDs: 1:66438 through 1:66445, 1:66451 through 1:66460, 1:66470 through 1:66476
- Snort 3 SIDs: 1:301494 through 1:301497, 1:301500 through 1:301506, 1:66472 through 1:66473, 1:66476
Administrators should update their Cisco Security Firewall rulesets and open source Snort Subscriber Rulesets to the latest versions.
Affected Systems and Versions
The vulnerability affects the Windows Native WiFi Miniport Driver (nwifi.sys) across a broad range of Windows client and server versions:
Windows Client:
- Windows 11 26H1 (x64, ARM64)
- Windows 11 25H2 (x64, ARM64)
- Windows 11 24H2 (x64, ARM64)
- Windows 11 23H2 (x64, ARM64)
- Windows 10 22H2 (32 bit, x64, ARM64)
- Windows 10 21H2 (32 bit, x64, ARM64)
- Windows 10 1809 (32 bit, x64)
- Windows 10 1607 (32 bit, x64)
Windows Server:
- Windows Server 2025 (including Server Core)
- Windows Server 2022 23H2 (Server Core)
- Windows Server 2022 (including Server Core)
- Windows Server 2019 (including Server Core)
- Windows Server 2016 (including Server Core)
- Windows Server 2012 R2 (including Server Core)
- Windows Server 2012 (including Server Core)
Any unpatched Windows device with a WiFi adapter that connects to shared, public, or untrusted wireless networks is potentially exposed to adjacent network attackers.
References
- NVD Entry for CVE-2026-32161
- Microsoft Security Update Guide: CVE-2026-32161
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Cisco Talos: Microsoft Patch Tuesday for May 2026
- Tenable: May 2026 Microsoft Patch Tuesday
- Microsoft Learn: Wireless network connectivity issues troubleshooting
- StatCounter: Windows Version Market Share Worldwide
- Microsoft Update Catalog



