ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-33838 Double Free in Windows Message Queuing Enables Local Privilege Escalation to SYSTEM

A short review of CVE-2026-33838, a double free vulnerability in the Windows Message Queuing (MSMQ) service that allows an authenticated local attacker to escalate privileges to SYSTEM. Includes patch details across all affected Windows platforms.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-33838 Double Free in Windows Message Queuing Enables Local Privilege Escalation to SYSTEM
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A double free memory corruption flaw in the Windows Message Queuing (MSMQ) service quietly opens the door for any authenticated local user to escalate privileges all the way to SYSTEM. Patched as part of Microsoft's May 2026 Patch Tuesday cycle alongside 119 other fixes, CVE-2026-33838 carries a CVSS score of 7.8 and affects a broad range of Windows client and server platforms, making it a priority for any environment where MSMQ is enabled.

Technical Information

Root Cause: Double Free (CWE-415)

CVE-2026-33838 is classified under CWE-415, Double Free. This class of vulnerability occurs when a program calls the memory deallocation function (such as free() or its Windows equivalent) twice on the same memory address. The second call corrupts the internal metadata structures maintained by the heap allocator. Depending on the allocator implementation and the state of the heap at the time of the second free, this corruption can produce several outcomes: a program crash, the ability to read or write to unexpected memory locations, or, critically, the ability to redirect execution flow.

In the context of CVE-2026-33838, the double free condition exists within the MSMQ service. Because MSMQ often runs with elevated privileges, successful exploitation of this memory corruption allows an attacker to escalate from a low privilege context to full SYSTEM access.

Attack Vector and Exploitability

The CVSS 3.1 assessment provides a clear picture of the attack surface:

MetricValue
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh

The local attack vector means an attacker must already have some level of access to the target system. This positions CVE-2026-33838 as a post compromise escalation primitive rather than an initial access vector. An attacker who has gained a foothold on a system through phishing, credential theft, or another vulnerability could leverage this flaw to move from a restricted user context to SYSTEM, enabling full control over the machine, persistence mechanisms, credential dumping, and lateral movement.

The low attack complexity and the absence of any user interaction requirement mean that once an attacker has local access, exploitation is straightforward. Microsoft assessed the exploit code maturity as "unproven" at the time of publication, indicating no publicly available exploit code exists. However, given the well understood nature of double free exploitation techniques, this assessment may change as researchers analyze the binary diff of the patch.

Patch Information

Microsoft released an official fix for CVE-2026-33838 on May 12, 2026, as part of the regular Patch Tuesday cycle. The remediation level is marked as "Official Fix," meaning a complete vendor solution is available. Because this is a closed source Windows binary patch, no source level diffs are publicly available. The fix is delivered through standard Windows Update channels, the Microsoft Update Catalog, and WSUS.

The following table provides a breakdown of the relevant KB articles and patched builds across all affected platforms:

PlatformKB ArticleTypePatched Build
Windows 11 26H1 (x64/ARM64)KB5089548Security Update10.0.28000.2113
Windows 11 25H2 / 24H2 (x64/ARM64)KB5089549 + KB5089466Security Update + Hotpatch10.0.26100.8457 / 10.0.26200.8457
Windows 11 23H2 (x64/ARM64)KB5087420Security Update10.0.22631.7079
Windows 10 22H2 / 21H2 (all arch)KB5087544Security Update10.0.19045.7291 / 10.0.19044.7291
Windows 10 1809 / Server 2019KB5087538Security Update10.0.17763.8755
Windows 10 1607 / Server 2016KB5087537Security Update10.0.14393.9140
Windows Server 2025KB5087539 + KB5087423Security Update + Hotpatch10.0.26100.32860
Windows Server 2022KB5087545 + KB5087424Security Update + Hotpatch10.0.20348.5139
Windows Server 2022, 23H2KB5087541Security Update10.0.25398.2330
Windows Server 2012 R2 (ESU)KB5087471Monthly Rollup6.3.9600.23181
Windows Server 2012 (ESU)KB5087470Monthly Rollup6.2.9200.26079

A notable aspect of this release is the availability of Security Hotpatch updates for newer platforms such as Windows Server 2025, Windows Server 2022, and Windows 11 24H2/25H2. Hotpatching allows the fix to be applied without requiring a full system reboot, which is particularly valuable for production server environments that need to minimize downtime.

For legacy platforms like Windows Server 2012 and 2012 R2, the fix arrives as part of the Monthly Rollup under Microsoft's Extended Security Update (ESU) program. Administrators managing these older systems should note the prerequisite of installing the latest Servicing Stack Update (SSU KB5079233) before applying the patch to ensure a successful installation.

All affected platforms list the customer action as "Required," underscoring that this update should be treated as a priority deployment item.

Affected Systems and Versions

The vulnerability affects the Windows Message Queuing service across a wide range of Windows platforms. The following systems are confirmed affected and have corresponding patches:

Windows Client:

  • Windows 11 Version 26H1 (x64 and ARM64 based systems)
  • Windows 11 Version 25H2 and 24H2 (x64 and ARM64 based systems)
  • Windows 11 Version 23H2 (x64 and ARM64 based systems)
  • Windows 10 Version 22H2 and 21H2 (32 bit, x64, and ARM64 based systems)
  • Windows 10 Version 1809 (32 bit and x64 based systems)
  • Windows 10 Version 1607 (32 bit and x64 based systems)

Windows Server:

  • Windows Server 2025
  • Windows Server 2022 and Server 2022, 23H2 Edition (Server Core installation)
  • Windows Server 2019 and Server 2019 (Server Core installation)
  • Windows Server 2016 and Server 2016 (Server Core installation)
  • Windows Server 2012 R2 and Server 2012 R2 (Server Core installation) via ESU
  • Windows Server 2012 and Server 2012 (Server Core installation) via ESU

Systems are only vulnerable if the MSMQ service is installed and enabled. Administrators can check for the presence of the service by looking for the "Message Queuing" feature in Windows Features or by querying the service status of mqsvc.exe.

Vendor Security History

CVE-2026-33838 was resolved as part of the May 2026 Patch Tuesday release, during which Microsoft fixed a total of 120 security flaws with zero zero days reported. Microsoft has invested significantly in its security posture through the Secure Future Initiative, dedicating the equivalent of 34,000 full time engineers to high priority security work. The company has also deployed a multi model agentic scanning harness designed to identify vulnerabilities proactively, which contributed to the discovery of 16 new vulnerabilities as announced in a concurrent blog post on May 12, 2026.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization