Introduction
A heap-based buffer overflow in the Windows TCP/IP kernel driver now gives any local user with low privileges a path to full kernel control. Tracked as CVE-2026-33837 and patched in Microsoft's May 2026 Patch Tuesday cycle, this flaw in tcpip.sys affects a broad range of Windows client and server operating systems, making it relevant to virtually every enterprise environment running Windows.
Technical Information
Root Cause
The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and resides in tcpip.sys, the kernel-mode driver that implements the TCP/IP networking stack in Windows. The flaw is triggered when a locally running process interacts with the driver in a way that causes a write beyond the bounds of a heap-allocated buffer in kernel memory. Because tcpip.sys operates at ring 0, corrupting heap memory within this driver can allow an attacker to overwrite adjacent kernel data structures and ultimately hijack execution flow to achieve kernel-level privilege escalation.
CVSS Breakdown
Microsoft assigned a CVSS 3.1 base score of 7.8 with the following vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Key characteristics:
- Attack Vector: Local. The attacker must have local access to the target machine.
- Attack Complexity: Low. No special conditions or race windows are required.
- Privileges Required: Low. A standard, unprivileged user account is sufficient.
- User Interaction: None. No action from another user is needed.
- Impact: High across Confidentiality, Integrity, and Availability.
- Scope: Unchanged. The privilege escalation occurs within the same security authority (the Windows kernel).
The temporal score is 6.8, reflecting the "Unproven" exploit code maturity at the time of publication and the availability of an official fix.
Attack Flow
- The attacker obtains local access to a Windows system and can execute code as a low-privileged user.
- The attacker runs a specially crafted application that sends specific input to the
tcpip.sysdriver, targeting the vulnerable code path. - The crafted input triggers the heap buffer overflow, writing data beyond the allocated buffer boundary in kernel heap memory.
- The overflow corrupts adjacent kernel heap structures, which the attacker leverages to gain arbitrary code execution in kernel mode.
- With kernel-level privileges, the attacker has unrestricted control over the compromised system, including the ability to install persistent backdoors, disable security software, or access any data on the machine.
Patch Information
Microsoft released the official fix for CVE-2026-33837 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. Because tcpip.sys is a closed-source Windows kernel component, no public source code diff is available. The fix is delivered exclusively through cumulative Windows security updates. Based on the advisory, the patch addresses the heap-based buffer overflow condition by adding proper bounds checking or buffer size validation to the vulnerable code path within the driver.
Microsoft has stated that there are no workarounds or alternative mitigations. Patching is the only remediation path.
The following table lists the affected product families, their corresponding KB articles, and the patched build numbers:
| Product Family | KB Article(s) | Patched Build |
|---|---|---|
| Windows 11 26H1 (x64/ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 25H2 / 24H2 (x64/ARM64) | KB5089549, KB5089466 (hotpatch) | 10.0.26200.8457 / 10.0.26100.8457 |
| Windows 11 23H2 (x64/ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 22H2 / 21H2 (x64/ARM64/x86) | KB5087544 | 10.0.19045.7291 / 10.0.19044.7291 |
| Windows 10 1809 (x64/x86) | KB5087538 | 10.0.17763.8755 |
| Windows 10 1607 (x64/x86) | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 (incl. Server Core) | KB5087539, KB5087423 (hotpatch) | 10.0.26100.32860 |
| Windows Server 2022 (incl. Server Core) | KB5087545, KB5087424 (hotpatch) | 10.0.20348.5139 |
| Windows Server 2022, 23H2 (Server Core) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2019 (incl. Server Core) | KB5087538 | 10.0.17763.8755 |
| Windows Server 2016 (incl. Server Core) | KB5087537 | 10.0.14393.9140 |
| Windows Server 2012 R2 (incl. Server Core) | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 (incl. Server Core) | KB5087470 | 6.2.9200.26079 |
For several newer platforms (Windows Server 2025, Windows Server 2022, Windows 11 24H2, and Windows 11 25H2), Microsoft offers both a standard security update and a Security Hotpatch Update. Hotpatching allows the fix to be applied in memory without requiring an immediate reboot, which is particularly valuable for production servers where downtime must be minimized.
All updates carry a customer action designation of "Required." They are available through Windows Update, the Microsoft Update Catalog, and WSUS. To verify that a system is patched, administrators should confirm that the OS build number meets or exceeds the values listed above for their specific product.
Detection Methods
Snort IDS/IPS Signatures
Cisco Talos released Snort intrusion detection rules targeting CVE-2026-33837 on May 12, 2026, the same day Microsoft published its advisory. Organizations running Snort can deploy the following rules:
- Snort 2: GID 1, SIDs 66440 and 66441. These rules were explicitly created to cover CVE-2026-33837 and are part of the broader May 2026 Patch Tuesday update range (1:66438 through 1:66445).
- Snort 3: GID 1, SID 301495. The corresponding Snort 3 rule falls within the range 1:301494 through 1:301497 included in this release.
These rules are available to Snort Subscriber Ruleset customers. Cisco Secure Firewall users should update their Security Rule Update (SRU) to the latest version to receive this coverage automatically. Open source Snort users can obtain the rules through the Snort.org rule pack.
Supplementary Monitoring
Given that Microsoft assessed exploitation as "More Likely," defenders should also monitor for suspicious local process activity on Windows systems, especially unexpected privilege transitions by processes interacting with the TCP/IP stack. Monitoring Windows Event Logs for anomalous service or kernel-mode behavior tied to the networking subsystem is recommended as an additional detection layer.
At this time, no YARA rules, Sigma rules, or published indicators of compromise (IoCs) have been identified for this vulnerability beyond the Snort signatures described above.
Affected Systems and Versions
CVE-2026-33837 affects a wide range of Windows client and server operating systems. The following versions are confirmed vulnerable (prior to applying the May 2026 patches):
Windows Client:
- Windows 11 Version 26H1 (x64, ARM64)
- Windows 11 Version 25H2 (x64, ARM64)
- Windows 11 Version 24H2 (x64, ARM64)
- Windows 11 Version 23H2 (x64, ARM64)
- Windows 10 Version 22H2 (x64, ARM64, x86)
- Windows 10 Version 21H2 (x64, ARM64, x86)
- Windows 10 Version 1809 (x64, x86)
- Windows 10 Version 1607 (x64, x86)
Windows Server:
- Windows Server 2025 (including Server Core installation)
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows Server 2022 (including Server Core installation)
- Windows Server 2019 (including Server Core installation)
- Windows Server 2016 (including Server Core installation)
- Windows Server 2012 R2 (including Server Core installation)
- Windows Server 2012 (including Server Core installation)
The vulnerable component is the tcpip.sys kernel driver, which is present in all of the above configurations.
Vendor Security History
Microsoft maintains a structured monthly security update cycle. In the May 2026 Patch Tuesday release, Microsoft addressed a total of 120 security flaws across its product ecosystem. None of the vulnerabilities patched in this cycle were classified as zero days. CVE-2026-33837 was one of the vulnerabilities in this batch rated as "Exploitation More Likely," underscoring the importance of timely patch deployment even when no active exploitation has been observed.
References
- CVE-2026-33837, MSRC Security Update Guide
- NVD Entry for CVE-2026-33837
- CVE Record: CVE-2026-33837
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days (BleepingComputer)
- Microsoft Patch Tuesday May 2026 Report (BleepingComputer)
- The May 2026 Security Update Review (Zero Day Initiative)
- Microsoft Patch Tuesday for May 2026, Snort Rules and Prominent Vulnerabilities (Cisco Talos)
- Snort Subscriber Rules Update, May 2026 (Seclists)



