Introduction
A use after free vulnerability in the Windows Kernel Mode Driver's NVMe over Fabrics protocol handling allows an authorized attacker to achieve remote code execution by sending a malformed response during a connection handshake. With a CVSS 3.1 base score of 8.0 and the vulnerability residing in kernel space on Windows Server 2025, this is a flaw that storage and infrastructure teams should patch promptly, even though Microsoft currently rates exploitation as unlikely.
Technical Information
The root cause of CVE-2026-34332 is a use after free condition (CWE-416) in the Windows Kernel Mode Driver responsible for handling NVMe over Fabrics (NVMe-oF) protocol communications. The vulnerable component is bound to the network stack, making it remotely exploitable across one or more network hops.
Attack Flow
The exploitation sequence works as follows:
- An attacker who holds low privileges on the domain sets up a malicious server capable of responding to NVMe-oF connection requests.
- The attacker waits for (or socially engineers) a victim user to initiate an NVMe-oF connection to the malicious server.
- During the connection handshake, the attacker's server sends a specially crafted NVMe over Fabrics response message containing an invalid header length value.
- The malformed header length triggers a dangling pointer dereference in the kernel driver, producing the use after free condition.
- The attacker achieves arbitrary code execution in kernel context.
CVSS 3.1 Metric Breakdown
| Metric | Value | Description |
|---|---|---|
| Base Score | 8.0 | High severity |
| Attack Vector | Network | Exploitable at the protocol level across network hops |
| Attack Complexity | Low | Repeatable success without specialized access conditions |
| Privileges Required | Low | Attacker needs basic user capabilities |
| User Interaction | Required | Victim must initiate connection to malicious server |
| Confidentiality Impact | High | Full compromise possible |
| Integrity Impact | High | Full compromise possible |
| Availability Impact | High | Full compromise possible |
The requirement for user interaction is the primary limiting factor. The victim must actively connect to a hostile server, which means the attacker cannot simply fire packets at an arbitrary target. However, in environments where NVMe-oF storage targets are configured dynamically or where an attacker can influence DNS or network routing, the user interaction barrier becomes significantly easier to satisfy.
The narrow product scope, confined solely to Windows Server 2025, strongly suggests the vulnerable code path was introduced in (or is only reachable through) the NVMe-oF driver stack that ships with that specific server release.
Patch Information
Microsoft released an official fix for CVE-2026-34332 on May 12, 2026, as part of its regular Patch Tuesday security update cycle. The MSRC advisory explicitly marks the remediation level as "Official Fix," confirming that a complete vendor solution is available. There are no official workarounds listed for interim remediation.
The fix was delivered through two separate update packages, giving administrators flexible deployment options:
| Update | Target | Build Number | Reboot Required |
|---|---|---|---|
| KB5087539 | Windows Server 2025 (standard cumulative update) | 26100.32860 | Yes |
| KB5087423 | Windows Server 2025 Datacenter (Azure Edition, Azure Arc connected) | 26100.32772 | No (Hotpatch) |
Both updates share the same servicing stack update prerequisite (KB5089717, SSU version 26100.32837), which is bundled automatically when deploying the LCU through Windows Update.
The Hotpatch option via KB5087423 is particularly relevant here: production workloads running NVMe-oF storage can receive the fix without a server restart, minimizing disruption.
The patch almost certainly adds proper validation of the header length field before the kernel driver processes the response buffer, preventing the dangling pointer dereference that leads to the use after free condition.
Verifying the Patch
Because this is a closed source Windows kernel component, no public source code diff is available. Administrators can confirm the installed build via winver or by querying the following in PowerShell:
[System.Environment]::OSVersion
Systems running Build 26100.32860 (via KB5087539) or Build 26100.32772 (via KB5087423) and later are protected.
Affected Systems and Versions
The vulnerability is scoped exclusively to Windows Server 2025, including both standard and Server Core installations. This narrow scope is notable; unlike many kernel level CVEs that fan out across a broad Windows version matrix, CVE-2026-34332 is confined solely to the Server 2025 platform.
Specifically affected configurations:
- Windows Server 2025 (standard installation)
- Windows Server 2025 (Server Core installation)
- Windows Server 2025 Datacenter: Azure Edition
Systems that do not run Windows Server 2025 are not affected by this vulnerability.
References
- NVD Entry for CVE-2026-34332
- MSRC Security Update Guide: CVE-2026-34332
- KB5087539: Cumulative Security Update for Windows Server 2025
- KB5087423: Hotpatch Update for Windows Server 2025 Datacenter
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Zero Day Initiative: The May 2026 Security Update Review
- Microsoft MSRC Blog: A note on this month's Patch Tuesday
- Help Net Security: Microsoft May 2026 Patch Tuesday



