Introduction
A race condition in the Windows TCP/IP kernel driver now gives any locally authenticated user a path to SYSTEM privileges, courtesy of improper synchronization around a shared resource in tcpip.sys. CVE-2026-34334, patched in Microsoft's May 2026 Patch Tuesday cycle, carries a CVSS 3.1 base score of 7.8 and affects virtually every supported version of Windows, from Windows 10 and 11 through Windows Server 2025 and even legacy Server 2012 editions.
While Microsoft rates exploitation as Unlikely and no public exploit code exists, the combination of low attack complexity, low privilege requirements, and full SYSTEM impact makes this one worth tracking, especially in environments where multiple users share access to the same host.
Technical Information
Root Cause
The vulnerability is classified under CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization. The flaw exists within tcpip.sys, the core Windows TCP/IP kernel driver. Two or more concurrent code paths access a shared resource without adequate synchronization, creating a timing window during which an attacker can modify the resource while another code sequence assumes it has temporary exclusive access.
Because tcpip.sys operates in kernel mode, corrupting state through this race condition does not merely crash the driver; it can be leveraged to achieve arbitrary privilege escalation. A successful exploit grants the attacker full SYSTEM privileges, which represents a complete compromise of confidentiality, integrity, and availability on the affected host.
CVSS Breakdown
The CVSS 3.1 base score of 7.8 (temporal: 6.8) breaks down as follows:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local | Attacker must already have a foothold on the system |
| Attack Complexity | Low | Exploitation does not require advanced evasion techniques |
| Privileges Required | Low | Basic authenticated user access is sufficient |
| User Interaction | None | The exploit can run autonomously without victim participation |
| Impact (C/I/A) | High / High / High | Complete loss of confidentiality, integrity, and availability |
Attack Flow
Based on the available technical details, the exploitation sequence would proceed as follows:
-
Initial Access: The attacker obtains local access to the target system with a standard, low privilege user account. This could be a shared workstation, a terminal server, or a compromised endpoint where the attacker has established a foothold.
-
Triggering the Race: The attacker invokes the vulnerable code path in the TCP/IP driver, initiating two concurrent operations that compete for the improperly synchronized shared resource.
-
Winning the Race: By successfully racing the two operations, the attacker manipulates the shared resource during the timing window, corrupting kernel state in a controlled manner.
-
Privilege Escalation: The corrupted kernel state is leveraged to elevate the attacker's process context from a low privilege user to SYSTEM.
The specific shared resource and the exact code path involved have not been publicly disclosed. Since tcpip.sys is a closed source Windows kernel component, no source code diff is available. No public exploit code has been released, and Microsoft classifies the exploit code maturity as Unproven.
Patch Information
Microsoft addressed CVE-2026-34334 with an official fix released on May 12, 2026, as part of the May 2026 Patch Tuesday security update cycle. The fix is delivered exclusively through cumulative and security updates via Windows Update and the Microsoft Update Catalog. Microsoft's MSRC advisory confirms the Remediation Level as Official Fix, meaning a complete vendor solution has shipped.
Microsoft has not published any official workarounds or alternative mitigations for this vulnerability. The only recommended action is to apply the official update.
The core fix almost certainly introduces proper synchronization primitives (such as spinlocks, interlocked operations, or resource acquisition ordering) around the shared resource access path in the TCP/IP driver. By serializing the critical section, the patch eliminates the timing window an attacker could exploit to corrupt kernel state and achieve privilege escalation.
Patch Matrix
The patch spans a broad matrix of affected products:
| KB Article | Target Products | Patched Build |
|---|---|---|
| KB5089549 | Windows 11 24H2 / 25H2 (x64 and ARM64) | 10.0.26100.8457 / 10.0.26200.8457 |
| KB5089548 | Windows 11 26H1 (x64 and ARM64) | 10.0.28000.2113 |
| KB5087420 | Windows 11 23H2 (x64 and ARM64) | 10.0.22631.7079 |
| KB5087544 | Windows 10 21H2 / 22H2 (x86, x64, ARM64) | 10.0.19044.7291 / 10.0.19045.7291 |
| KB5087538 | Windows 10 1809, Windows Server 2019 | 10.0.17763.8755 |
| KB5087537 | Windows 10 1607, Windows Server 2016 | 10.0.14393.9140 |
| KB5087539 | Windows Server 2025 | 10.0.26100.32860 |
| KB5087545 | Windows Server 2022 | 10.0.20348.5139 |
| KB5087541 | Windows Server 2022 23H2 (Server Core) | 10.0.25398.2330 |
| KB5087471 | Windows Server 2012 R2 | 6.3.9600.23181 |
| KB5087470 | Windows Server 2012 | 6.2.9200.26079 |
Security Hotpatch Updates
For several modern server and client editions, Microsoft also shipped Security Hotpatch updates that apply the fix without requiring a reboot:
| KB Article | Target Products |
|---|---|
| KB5089466 | Windows 11 24H2 / 25H2 |
| KB5087423 | Windows Server 2025 |
| KB5087424 | Windows Server 2022 |
These hotpatch updates target slightly earlier build numbers (e.g., 10.0.26100.8390 for KB5089466 versus 10.0.26100.8457 for the full KB5089549 update), reflecting the lighter weight patching approach that avoids replacing the entire binary in memory.
Verification
To verify that the patch has been applied, administrators can check the installed OS build number against the patched build numbers above:
Get-ComputerInfo | Select-Object OsBuildNumber
Or simply run winver from the Run dialog. All updates are marked with Customer Action Required: Required, meaning they are not optional.
Affected Systems and Versions
The vulnerability affects the following Windows operating systems (all builds prior to the patched versions listed above):
Windows Client:
- Windows 11 versions 23H2, 24H2, 25H2, and 26H1 (x64 and ARM64)
- Windows 10 versions 21H2 and 22H2 (x86, x64, ARM64)
- Windows 10 version 1809
- Windows 10 version 1607
Windows Server:
- Windows Server 2025
- Windows Server 2022 (including 23H2 Server Core)
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
The vulnerable component is tcpip.sys, the Windows TCP/IP kernel driver, which is present and active on all of these platforms by default.
References
- Microsoft Security Response Center: CVE-2026-34334
- NVD: CVE-2026-34334
- Zero Day Initiative: The May 2026 Security Update Review
- VulDB: CVE-2026-34334 Microsoft Windows TCP/IP Race Condition
- Bleeping Computer: Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No Zero Days
- SANS Internet Storm Center: Microsoft May 2026 Patch Tuesday
- Tenable: Windows Server version 23H2 Security Update (May 2026)



