Introduction
A double free memory corruption flaw in the Windows Message Queuing (MSMQ) service quietly opens the door for any authenticated local user to escalate privileges all the way to SYSTEM. Patched as part of Microsoft's May 2026 Patch Tuesday cycle alongside 119 other fixes, CVE-2026-33838 carries a CVSS score of 7.8 and affects a broad range of Windows client and server platforms, making it a priority for any environment where MSMQ is enabled.
Technical Information
Root Cause: Double Free (CWE-415)
CVE-2026-33838 is classified under CWE-415, Double Free. This class of vulnerability occurs when a program calls the memory deallocation function (such as free() or its Windows equivalent) twice on the same memory address. The second call corrupts the internal metadata structures maintained by the heap allocator. Depending on the allocator implementation and the state of the heap at the time of the second free, this corruption can produce several outcomes: a program crash, the ability to read or write to unexpected memory locations, or, critically, the ability to redirect execution flow.
In the context of CVE-2026-33838, the double free condition exists within the MSMQ service. Because MSMQ often runs with elevated privileges, successful exploitation of this memory corruption allows an attacker to escalate from a low privilege context to full SYSTEM access.
Attack Vector and Exploitability
The CVSS 3.1 assessment provides a clear picture of the attack surface:
| Metric | Value |
|---|---|
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
The local attack vector means an attacker must already have some level of access to the target system. This positions CVE-2026-33838 as a post compromise escalation primitive rather than an initial access vector. An attacker who has gained a foothold on a system through phishing, credential theft, or another vulnerability could leverage this flaw to move from a restricted user context to SYSTEM, enabling full control over the machine, persistence mechanisms, credential dumping, and lateral movement.
The low attack complexity and the absence of any user interaction requirement mean that once an attacker has local access, exploitation is straightforward. Microsoft assessed the exploit code maturity as "unproven" at the time of publication, indicating no publicly available exploit code exists. However, given the well understood nature of double free exploitation techniques, this assessment may change as researchers analyze the binary diff of the patch.
Patch Information
Microsoft released an official fix for CVE-2026-33838 on May 12, 2026, as part of the regular Patch Tuesday cycle. The remediation level is marked as "Official Fix," meaning a complete vendor solution is available. Because this is a closed source Windows binary patch, no source level diffs are publicly available. The fix is delivered through standard Windows Update channels, the Microsoft Update Catalog, and WSUS.
The following table provides a breakdown of the relevant KB articles and patched builds across all affected platforms:
| Platform | KB Article | Type | Patched Build |
|---|---|---|---|
| Windows 11 26H1 (x64/ARM64) | KB5089548 | Security Update | 10.0.28000.2113 |
| Windows 11 25H2 / 24H2 (x64/ARM64) | KB5089549 + KB5089466 | Security Update + Hotpatch | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 23H2 (x64/ARM64) | KB5087420 | Security Update | 10.0.22631.7079 |
| Windows 10 22H2 / 21H2 (all arch) | KB5087544 | Security Update | 10.0.19045.7291 / 10.0.19044.7291 |
| Windows 10 1809 / Server 2019 | KB5087538 | Security Update | 10.0.17763.8755 |
| Windows 10 1607 / Server 2016 | KB5087537 | Security Update | 10.0.14393.9140 |
| Windows Server 2025 | KB5087539 + KB5087423 | Security Update + Hotpatch | 10.0.26100.32860 |
| Windows Server 2022 | KB5087545 + KB5087424 | Security Update + Hotpatch | 10.0.20348.5139 |
| Windows Server 2022, 23H2 | KB5087541 | Security Update | 10.0.25398.2330 |
| Windows Server 2012 R2 (ESU) | KB5087471 | Monthly Rollup | 6.3.9600.23181 |
| Windows Server 2012 (ESU) | KB5087470 | Monthly Rollup | 6.2.9200.26079 |
A notable aspect of this release is the availability of Security Hotpatch updates for newer platforms such as Windows Server 2025, Windows Server 2022, and Windows 11 24H2/25H2. Hotpatching allows the fix to be applied without requiring a full system reboot, which is particularly valuable for production server environments that need to minimize downtime.
For legacy platforms like Windows Server 2012 and 2012 R2, the fix arrives as part of the Monthly Rollup under Microsoft's Extended Security Update (ESU) program. Administrators managing these older systems should note the prerequisite of installing the latest Servicing Stack Update (SSU KB5079233) before applying the patch to ensure a successful installation.
All affected platforms list the customer action as "Required," underscoring that this update should be treated as a priority deployment item.
Affected Systems and Versions
The vulnerability affects the Windows Message Queuing service across a wide range of Windows platforms. The following systems are confirmed affected and have corresponding patches:
Windows Client:
- Windows 11 Version 26H1 (x64 and ARM64 based systems)
- Windows 11 Version 25H2 and 24H2 (x64 and ARM64 based systems)
- Windows 11 Version 23H2 (x64 and ARM64 based systems)
- Windows 10 Version 22H2 and 21H2 (32 bit, x64, and ARM64 based systems)
- Windows 10 Version 1809 (32 bit and x64 based systems)
- Windows 10 Version 1607 (32 bit and x64 based systems)
Windows Server:
- Windows Server 2025
- Windows Server 2022 and Server 2022, 23H2 Edition (Server Core installation)
- Windows Server 2019 and Server 2019 (Server Core installation)
- Windows Server 2016 and Server 2016 (Server Core installation)
- Windows Server 2012 R2 and Server 2012 R2 (Server Core installation) via ESU
- Windows Server 2012 and Server 2012 (Server Core installation) via ESU
Systems are only vulnerable if the MSMQ service is installed and enabled. Administrators can check for the presence of the service by looking for the "Message Queuing" feature in Windows Features or by querying the service status of mqsvc.exe.
Vendor Security History
CVE-2026-33838 was resolved as part of the May 2026 Patch Tuesday release, during which Microsoft fixed a total of 120 security flaws with zero zero days reported. Microsoft has invested significantly in its security posture through the Secure Future Initiative, dedicating the equivalent of 34,000 full time engineers to high priority security work. The company has also deployed a multi model agentic scanning harness designed to identify vulnerabilities proactively, which contributed to the discovery of 16 new vulnerabilities as announced in a concurrent blog post on May 12, 2026.
References
- Microsoft Security Response Center: CVE-2026-33838
- NVD: CVE-2026-33838
- Microsoft Support: KB5087471
- Zero Day Initiative: The May 2026 Security Update Review
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- CWE-415: Double Free
- Microsoft Secure Future Initiative Overview



