Introduction
A heap-based buffer overflow in the Windows Message Queuing (MSMQ) service, patched in Microsoft's May 2026 Patch Tuesday, allows an unauthenticated attacker on an adjacent network to achieve full remote code execution by sending a single crafted message. With a CVSS 3.1 base score of 8.8 and zero-click exploitation requiring no credentials, CVE-2026-34329 represents a serious lateral movement risk for any organization running MSMQ on internal network segments.
Technical Information
CVE-2026-34329 is classified under CWE-122 (Heap-based Buffer Overflow) and resides in the Windows Message Queuing service, which listens on TCP port 1801 for incoming queue messages. When the MSMQ service processes a specially crafted inbound message, it fails to properly validate the message data, resulting in a write beyond the bounds of a heap-allocated buffer. This memory corruption condition allows an attacker to overwrite adjacent heap structures and ultimately redirect execution flow to attacker-controlled code.
CVSS 3.1 Metrics
The full CVSS 3.1 vector string is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, producing a base score of 8.8 and a temporal score of 7.7. The individual metrics are worth examining:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Adjacent (A) | Attacker must be on the same network segment, switch, or virtual network |
| Attack Complexity | Low (L) | No specialized conditions or race conditions required |
| Privileges Required | None (N) | No authentication or credentials needed |
| User Interaction | None (N) | Exploitation is fully autonomous; no victim action required |
| Scope | Unchanged (U) | Impact is confined to the vulnerable component's security authority |
| Confidentiality | High (H) | Complete loss of confidentiality on the target system |
| Integrity | High (H) | Complete loss of integrity on the target system |
| Availability | High (H) | Complete loss of availability on the target system |
Attack Flow
Based on the MSRC advisory and supporting analysis, the exploitation sequence proceeds as follows:
-
Reconnaissance: The attacker, already present on the same network segment as the target, identifies a Windows host with the MSMQ service enabled and listening on TCP port 1801. This can be accomplished through a simple port scan of the local subnet.
-
Message Construction: The attacker constructs a specially crafted MSMQ message designed to trigger the heap overflow during the service's message parsing routine. The malformed data causes the MSMQ service to write beyond the allocated heap buffer.
-
Exploitation: The crafted message is sent over the network to TCP port 1801 on the target. The MSMQ service (
mqsvc.exe) receives and begins processing the message. During parsing, the heap overflow corrupts adjacent memory, and the attacker gains arbitrary code execution in the context of the MSMQ service process. -
Post-Exploitation: With code execution achieved, the attacker can perform further lateral movement, establish persistence, or exfiltrate data from the compromised host.
Scope Considerations
The adjacent network constraint is the most important factor in risk assessment. This vulnerability cannot be exploited directly from the internet or across routed WAN boundaries. The attacker must share the same Layer 2 network segment as the target. However, in environments with flat network architectures, insufficient segmentation, or where an attacker has already achieved initial access (for example, through phishing or a VPN compromise), this flaw becomes a potent tool for internal propagation. Organizations relying on MSMQ for inter-service communication across multiple servers on the same VLAN should treat this as a high-priority patching item.
Patch Information
Microsoft officially patched CVE-2026-34329 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level is "Official Fix," meaning a complete vendor solution is available. Because this is a closed-source Windows component (the MSMQ service binary), no source-level diff is publicly available. The fix is delivered exclusively through Windows cumulative and security updates, and it corrects how the MSMQ service validates and handles incoming message data, preventing the heap overflow from occurring.
The fix ships across a broad matrix of affected Windows products:
| Platform(s) | KB Article(s) |
|---|---|
| Windows 11 26H1 (x64, ARM64) | KB5089548 |
| Windows 11 24H2 / 25H2 (x64, ARM64) | KB5089549 plus hotpatch KB5089466 |
| Windows 11 23H2 (x64, ARM64) | KB5087420 |
| Windows 10 21H2 / 22H2 (x64, ARM64, 32 bit) | KB5087544 |
| Windows 10 1809 / Server 2019 | KB5087538 |
| Windows 10 1607 / Server 2016 | KB5087537 |
| Windows Server 2025 | KB5087539 plus hotpatch KB5087423 |
| Windows Server 2022 | KB5087545 plus hotpatch KB5087424 |
| Windows Server 2022, 23H2 (Server Core) | KB5087541 |
| Windows Server 2012 R2 | KB5087471 |
| Windows Server 2012 | KB5087470 |
For Windows Server 2025, Server 2022, and Windows 11 24H2/25H2, Microsoft also published Security Hotpatch Updates (separate KB numbers listed above). Hotpatching allows the fix to be applied without a full system reboot on supported configurations, which is particularly valuable for production server environments where minimizing downtime is critical.
All updates are marked as "Customer Action Required" in the MSRC advisory, meaning automatic deployment via Windows Update alone may not be sufficient. Administrators should verify that the relevant KB has been installed on every system where the MSMQ service is enabled. Systems that do not have MSMQ enabled are not directly exposed, but the patch should still be applied proactively in case the feature is later turned on.
Detection Methods
Detection for CVE-2026-34329 spans vulnerability scanning, network monitoring, and endpoint log analysis.
Vulnerability Scanning with Tenable Nessus
Tenable has published 11 Nessus plugins that detect systems vulnerable to CVE-2026-34329 by checking whether the May 2026 security updates have been applied. These are local, credentialed checks relying on the host's self-reported build number rather than active exploitation:
| Nessus Plugin ID | Target System | KB Article |
|---|---|---|
| 314341 | Windows 11 24H2 / 25H2 | KB5089549 |
| 314342 | Windows 11 26H1 | KB5089548 |
| 314349 | Windows 11 23H2 | KB5087420 |
| 314353 | Windows 10 21H2 / 22H2 | KB5087544 |
| 314348 | Windows 10 1607 / Server 2016 | KB5087537 |
| 314346 | Windows 10 1809 / Server 2019 | KB5087538 |
| 314352 | Windows Server 2022 / Azure Stack HCI 22H2 | KB5087545 |
| 314347 | Windows Server 23H2 | KB5087541 |
| 314355 | Windows Server 2025 | KB5087539 |
| 314354 | Windows Server 2012 | KB5087470 |
| 314340 | Windows Server 2012 R2 | KB5087471 |
All plugins belong to the "Windows : Microsoft Bulletins" family and support both standalone Nessus and Nessus Agent sensors.
Identifying Exposed MSMQ Services
The vulnerability only impacts systems where the MSMQ service is actively running. Defenders should enumerate all hosts in their environment that are listening on TCP port 1801, the default MSMQ listener port. This can be accomplished through network scanning tools or asset inventory platforms. Even though the attack vector is adjacent, organizations should treat any MSMQ-enabled system as potentially at risk, particularly in flat network architectures.
Network Traffic Monitoring on TCP Port 1801
Because CVE-2026-34329 is triggered by a specially crafted network message, monitoring inbound traffic on TCP port 1801 is a core detection strategy. Security teams should review firewall and IDS logs for unexpected or anomalous connections targeting this port, especially from hosts that do not normally communicate with MSMQ services. Any inbound traffic on port 1801 from untrusted or unexpected sources should be flagged for investigation.
Cisco Talos has released Snort rulesets covering the May 2026 Patch Tuesday cycle:
- Snort 2 rules: 1:66438 through 1:66445, 1:66451 through 1:66460, and 1:66470 through 1:66476
- Snort 3 rules: 1:301494 through 1:301497, 1:301500 through 1:301506, 1:66472 through 1:66473, and 1:66476
Administrators should update their Snort Subscriber Ruleset to ensure network-level detection is active while patches are being deployed.
Windows Event Log Hunting
For proactive threat hunting on Windows endpoints, several event log sources can reveal MSMQ-related activity:
- Windows Security Event ID 5154: Indicates the MSMQ service is listening for incoming connections on port 1801. This confirms a host is exposed.
- Windows Security Event ID 5156: Logs permitted inbound network connections, allowing identification of which sources are connecting to port 1801 and whether those connections are expected.
- Sysmon Event ID 3 (Network Connection): If Sysmon is deployed, Event ID 3 captures connections and can be filtered for destination port 1801 to track connections to
mqsvc.exe.
Correlating these events with known good baselines for MSMQ communication patterns can help surface anomalous activity that warrants deeper investigation.
Scope Note
Microsoft's advisory rates CVE-2026-34329 as "Exploitation Less Likely" with no known public exploit code. No CVE-specific IDS/IPS signatures, YARA rules, or dedicated IoCs have been published by major vendors for this particular CVE beyond the general Snort rulesets noted above. Detection is therefore currently centered on patch-level verification and general MSMQ network monitoring.
Affected Systems and Versions
The vulnerability affects all supported Windows client and server operating systems where the MSMQ service can be enabled. Based on the patches released by Microsoft, the following platforms are confirmed affected:
Windows Client:
- Windows 11 version 26H1 (x64, ARM64)
- Windows 11 versions 24H2 and 25H2 (x64, ARM64)
- Windows 11 version 23H2 (x64, ARM64)
- Windows 10 versions 21H2 and 22H2 (x64, ARM64, 32 bit)
- Windows 10 version 1809
- Windows 10 version 1607
Windows Server:
- Windows Server 2025
- Windows Server 2022 (including Azure Stack HCI 22H2)
- Windows Server 2022, 23H2 (Server Core installation)
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
The vulnerable configuration requires the MSMQ service to be installed and actively running (listening on TCP port 1801). Systems that do not have the MSMQ feature enabled are not directly exploitable, though Microsoft recommends applying the patch proactively.
Vendor Security History
Microsoft manages security disclosures through the Microsoft Security Response Center (MSRC), which investigates all reports of security vulnerabilities affecting Microsoft products and coordinates their disclosure. The company follows a predictable monthly release cadence, issuing security updates on the second Tuesday of each month. The May 2026 update cycle addressed between 120 and 137 vulnerabilities across various products, with 29 classified as critical remote code execution flaws. Notably, no zero-day vulnerabilities were reported as exploited or publicly disclosed ahead of this particular Patch Tuesday release, according to multiple independent sources including Tenable, Cisco Talos, and BleepingComputer.
MSMQ has historically been a source of high-severity vulnerabilities in the Windows ecosystem, making it a component that warrants ongoing attention from security teams, particularly in enterprise environments where the service may be enabled on numerous internal servers.
References
- MSRC Advisory: CVE-2026-34329
- NVD: CVE-2026-34329
- CVE Record: CVE-2026-34329
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
- Cisco Talos: Microsoft Patch Tuesday for May 2026
- Tenable: May 2026 Microsoft Patch Tuesday
- Tenable CVE Page: CVE-2026-34329
- Tenable Nessus Plugins for CVE-2026-34329
- Tenable Nessus Plugin 314353
- CyberSecurityNews: Microsoft Patch Tuesday May 2026
- Microsoft Security Blog: How MSRC coordinates vulnerability research and disclosure



