ZeroPath at Black Hat USA 2026

Windows TCP/IP CVE-2026-34334: Brief Summary of a Kernel Race Condition Privilege Escalation

A brief summary of CVE-2026-34334, a race condition in the Windows TCP/IP kernel driver that allows locally authenticated attackers to escalate privileges to SYSTEM. Includes patch details across all affected Windows editions.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Windows TCP/IP CVE-2026-34334: Brief Summary of a Kernel Race Condition Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A race condition in the Windows TCP/IP kernel driver now gives any locally authenticated user a path to SYSTEM privileges, courtesy of improper synchronization around a shared resource in tcpip.sys. CVE-2026-34334, patched in Microsoft's May 2026 Patch Tuesday cycle, carries a CVSS 3.1 base score of 7.8 and affects virtually every supported version of Windows, from Windows 10 and 11 through Windows Server 2025 and even legacy Server 2012 editions.

While Microsoft rates exploitation as Unlikely and no public exploit code exists, the combination of low attack complexity, low privilege requirements, and full SYSTEM impact makes this one worth tracking, especially in environments where multiple users share access to the same host.

Technical Information

Root Cause

The vulnerability is classified under CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization. The flaw exists within tcpip.sys, the core Windows TCP/IP kernel driver. Two or more concurrent code paths access a shared resource without adequate synchronization, creating a timing window during which an attacker can modify the resource while another code sequence assumes it has temporary exclusive access.

Because tcpip.sys operates in kernel mode, corrupting state through this race condition does not merely crash the driver; it can be leveraged to achieve arbitrary privilege escalation. A successful exploit grants the attacker full SYSTEM privileges, which represents a complete compromise of confidentiality, integrity, and availability on the affected host.

CVSS Breakdown

The CVSS 3.1 base score of 7.8 (temporal: 6.8) breaks down as follows:

MetricValueImplication
Attack VectorLocalAttacker must already have a foothold on the system
Attack ComplexityLowExploitation does not require advanced evasion techniques
Privileges RequiredLowBasic authenticated user access is sufficient
User InteractionNoneThe exploit can run autonomously without victim participation
Impact (C/I/A)High / High / HighComplete loss of confidentiality, integrity, and availability

Attack Flow

Based on the available technical details, the exploitation sequence would proceed as follows:

  1. Initial Access: The attacker obtains local access to the target system with a standard, low privilege user account. This could be a shared workstation, a terminal server, or a compromised endpoint where the attacker has established a foothold.

  2. Triggering the Race: The attacker invokes the vulnerable code path in the TCP/IP driver, initiating two concurrent operations that compete for the improperly synchronized shared resource.

  3. Winning the Race: By successfully racing the two operations, the attacker manipulates the shared resource during the timing window, corrupting kernel state in a controlled manner.

  4. Privilege Escalation: The corrupted kernel state is leveraged to elevate the attacker's process context from a low privilege user to SYSTEM.

The specific shared resource and the exact code path involved have not been publicly disclosed. Since tcpip.sys is a closed source Windows kernel component, no source code diff is available. No public exploit code has been released, and Microsoft classifies the exploit code maturity as Unproven.

Patch Information

Microsoft addressed CVE-2026-34334 with an official fix released on May 12, 2026, as part of the May 2026 Patch Tuesday security update cycle. The fix is delivered exclusively through cumulative and security updates via Windows Update and the Microsoft Update Catalog. Microsoft's MSRC advisory confirms the Remediation Level as Official Fix, meaning a complete vendor solution has shipped.

Microsoft has not published any official workarounds or alternative mitigations for this vulnerability. The only recommended action is to apply the official update.

The core fix almost certainly introduces proper synchronization primitives (such as spinlocks, interlocked operations, or resource acquisition ordering) around the shared resource access path in the TCP/IP driver. By serializing the critical section, the patch eliminates the timing window an attacker could exploit to corrupt kernel state and achieve privilege escalation.

Patch Matrix

The patch spans a broad matrix of affected products:

KB ArticleTarget ProductsPatched Build
KB5089549Windows 11 24H2 / 25H2 (x64 and ARM64)10.0.26100.8457 / 10.0.26200.8457
KB5089548Windows 11 26H1 (x64 and ARM64)10.0.28000.2113
KB5087420Windows 11 23H2 (x64 and ARM64)10.0.22631.7079
KB5087544Windows 10 21H2 / 22H2 (x86, x64, ARM64)10.0.19044.7291 / 10.0.19045.7291
KB5087538Windows 10 1809, Windows Server 201910.0.17763.8755
KB5087537Windows 10 1607, Windows Server 201610.0.14393.9140
KB5087539Windows Server 202510.0.26100.32860
KB5087545Windows Server 202210.0.20348.5139
KB5087541Windows Server 2022 23H2 (Server Core)10.0.25398.2330
KB5087471Windows Server 2012 R26.3.9600.23181
KB5087470Windows Server 20126.2.9200.26079

Security Hotpatch Updates

For several modern server and client editions, Microsoft also shipped Security Hotpatch updates that apply the fix without requiring a reboot:

KB ArticleTarget Products
KB5089466Windows 11 24H2 / 25H2
KB5087423Windows Server 2025
KB5087424Windows Server 2022

These hotpatch updates target slightly earlier build numbers (e.g., 10.0.26100.8390 for KB5089466 versus 10.0.26100.8457 for the full KB5089549 update), reflecting the lighter weight patching approach that avoids replacing the entire binary in memory.

Verification

To verify that the patch has been applied, administrators can check the installed OS build number against the patched build numbers above:

Get-ComputerInfo | Select-Object OsBuildNumber

Or simply run winver from the Run dialog. All updates are marked with Customer Action Required: Required, meaning they are not optional.

Affected Systems and Versions

The vulnerability affects the following Windows operating systems (all builds prior to the patched versions listed above):

Windows Client:

  • Windows 11 versions 23H2, 24H2, 25H2, and 26H1 (x64 and ARM64)
  • Windows 10 versions 21H2 and 22H2 (x86, x64, ARM64)
  • Windows 10 version 1809
  • Windows 10 version 1607

Windows Server:

  • Windows Server 2025
  • Windows Server 2022 (including 23H2 Server Core)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

The vulnerable component is tcpip.sys, the Windows TCP/IP kernel driver, which is present and active on all of these platforms by default.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization