ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34332 — Windows Kernel Mode Driver Use After Free in NVMe over Fabrics Enables Remote Code Execution

A short review of CVE-2026-34332, a use after free vulnerability in the Windows Kernel Mode Driver's NVMe over Fabrics stack that allows an authorized attacker to achieve remote code execution. Patch information and affected system details are included.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-34332 — Windows Kernel Mode Driver Use After Free in NVMe over Fabrics Enables Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in the Windows Kernel Mode Driver's NVMe over Fabrics protocol handling allows an authorized attacker to achieve remote code execution by sending a malformed response during a connection handshake. With a CVSS 3.1 base score of 8.0 and the vulnerability residing in kernel space on Windows Server 2025, this is a flaw that storage and infrastructure teams should patch promptly, even though Microsoft currently rates exploitation as unlikely.

Technical Information

The root cause of CVE-2026-34332 is a use after free condition (CWE-416) in the Windows Kernel Mode Driver responsible for handling NVMe over Fabrics (NVMe-oF) protocol communications. The vulnerable component is bound to the network stack, making it remotely exploitable across one or more network hops.

Attack Flow

The exploitation sequence works as follows:

  1. An attacker who holds low privileges on the domain sets up a malicious server capable of responding to NVMe-oF connection requests.
  2. The attacker waits for (or socially engineers) a victim user to initiate an NVMe-oF connection to the malicious server.
  3. During the connection handshake, the attacker's server sends a specially crafted NVMe over Fabrics response message containing an invalid header length value.
  4. The malformed header length triggers a dangling pointer dereference in the kernel driver, producing the use after free condition.
  5. The attacker achieves arbitrary code execution in kernel context.

CVSS 3.1 Metric Breakdown

MetricValueDescription
Base Score8.0High severity
Attack VectorNetworkExploitable at the protocol level across network hops
Attack ComplexityLowRepeatable success without specialized access conditions
Privileges RequiredLowAttacker needs basic user capabilities
User InteractionRequiredVictim must initiate connection to malicious server
Confidentiality ImpactHighFull compromise possible
Integrity ImpactHighFull compromise possible
Availability ImpactHighFull compromise possible

The requirement for user interaction is the primary limiting factor. The victim must actively connect to a hostile server, which means the attacker cannot simply fire packets at an arbitrary target. However, in environments where NVMe-oF storage targets are configured dynamically or where an attacker can influence DNS or network routing, the user interaction barrier becomes significantly easier to satisfy.

The narrow product scope, confined solely to Windows Server 2025, strongly suggests the vulnerable code path was introduced in (or is only reachable through) the NVMe-oF driver stack that ships with that specific server release.

Patch Information

Microsoft released an official fix for CVE-2026-34332 on May 12, 2026, as part of its regular Patch Tuesday security update cycle. The MSRC advisory explicitly marks the remediation level as "Official Fix," confirming that a complete vendor solution is available. There are no official workarounds listed for interim remediation.

The fix was delivered through two separate update packages, giving administrators flexible deployment options:

UpdateTargetBuild NumberReboot Required
KB5087539Windows Server 2025 (standard cumulative update)26100.32860Yes
KB5087423Windows Server 2025 Datacenter (Azure Edition, Azure Arc connected)26100.32772No (Hotpatch)

Both updates share the same servicing stack update prerequisite (KB5089717, SSU version 26100.32837), which is bundled automatically when deploying the LCU through Windows Update.

The Hotpatch option via KB5087423 is particularly relevant here: production workloads running NVMe-oF storage can receive the fix without a server restart, minimizing disruption.

The patch almost certainly adds proper validation of the header length field before the kernel driver processes the response buffer, preventing the dangling pointer dereference that leads to the use after free condition.

Verifying the Patch

Because this is a closed source Windows kernel component, no public source code diff is available. Administrators can confirm the installed build via winver or by querying the following in PowerShell:

[System.Environment]::OSVersion

Systems running Build 26100.32860 (via KB5087539) or Build 26100.32772 (via KB5087423) and later are protected.

Affected Systems and Versions

The vulnerability is scoped exclusively to Windows Server 2025, including both standard and Server Core installations. This narrow scope is notable; unlike many kernel level CVEs that fan out across a broad Windows version matrix, CVE-2026-34332 is confined solely to the Server 2025 platform.

Specifically affected configurations:

  • Windows Server 2025 (standard installation)
  • Windows Server 2025 (Server Core installation)
  • Windows Server 2025 Datacenter: Azure Edition

Systems that do not run Windows Server 2025 are not affected by this vulnerability.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization