Introduction
A race condition in the Windows TCP/IP stack, patched in the May 2026 Patch Tuesday cycle, gives any low privilege local user a path to elevated privileges without requiring user interaction. With a CVSS score of 7.8 and high impact across confidentiality, integrity, and availability, CVE-2026-34351 is a meaningful patch priority for any environment where multiple users share access to Windows systems.
Technical Information
The root cause of CVE-2026-34351 is a race condition (CWE-362) in the Windows TCP/IP driver. CWE-362 is defined as "concurrent execution using shared resource with improper synchronization." In practical terms, two or more execution paths within the TCP/IP stack access a shared resource without adequate locking or serialization, creating a window where an attacker can manipulate the timing of operations to corrupt state or hijack control flow.
CVSS Vector Breakdown
The CVSS 3.1 vector tells us a lot about the operational risk profile:
| Metric | Value | Operational Implication |
|---|---|---|
| Attack Vector | Local | Attacker must have code execution on the target system |
| Attack Complexity | Low | Few preconditions; the race is reliably triggerable |
| Privileges Required | Low | A standard unprivileged user account is sufficient |
| User Interaction | None | No social engineering or victim action needed |
| Scope | Unchanged | Impact stays within the same security authority boundary |
| Confidentiality | High | Complete compromise of data confidentiality |
| Integrity | High | Complete compromise of data integrity |
| Availability | High | Complete compromise of system availability |
Microsoft labels the maximum severity as "Important," but the CVSS subscores paint a more urgent picture. All three CIA impact dimensions are rated High, meaning successful exploitation yields complete compromise within the affected security scope.
Attack Flow
Based on the available advisory details, the exploitation sequence would proceed as follows:
- An attacker with a low privilege local account on a Windows system identifies the vulnerable code path in the TCP/IP driver.
- The attacker crafts a sequence of operations, likely involving concurrent system calls or network operations, designed to trigger the race condition in the TCP/IP stack.
- By winning the race, the attacker corrupts internal state in a way that allows privilege escalation, potentially reaching SYSTEM level access.
- With elevated privileges, the attacker can install persistent backdoors, access protected data, or pivot laterally within the network.
Microsoft has not published specific details about the vulnerable code paths or the exact primitives involved. Because the fix targets the closed source Windows TCP/IP driver, no source code diff or commit is publicly available. The MSRC advisory lists no workarounds or alternative mitigations; the only remediation path is applying the cumulative update.
Race Condition Context
Race conditions in kernel level networking drivers are a well understood vulnerability class but remain difficult to eliminate entirely. The TCP/IP stack processes concurrent network events at high frequency, and any shared state that lacks proper synchronization primitives (spinlocks, mutexes, or atomic operations) can become an exploitation target. The Low attack complexity rating here suggests that the race window is relatively wide or that the attacker can reliably influence scheduling to trigger the condition.
Patch Information
Microsoft released an official fix for CVE-2026-34351 as part of its May 12, 2026 Patch Tuesday cumulative security updates. The MSRC advisory marks the Remediation Level as "Official Fix" and the Customer Action Required status as "Required," confirming that administrators must actively deploy the updates.
The fix is delivered through Windows Update, WSUS, and the Microsoft Update Catalog. The following Knowledge Base articles map to specific products:
| Product(s) | KB (Standard) | KB (Hotpatch) | Patched Build |
|---|---|---|---|
| Windows 11 24H2 / 25H2 (x64 and ARM64) | KB5089549 | KB5089466 | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 26H1 (x64 and ARM64) | KB5089548 | — | 10.0.28000.2113 |
| Windows 11 23H2 (x64 and ARM64) | KB5087420 | — | 10.0.22631.7079 |
| Windows 10 21H2 / 22H2 (x64, ARM64, x86) | KB5087544 | — | 10.0.19044.7291 / 10.0.19045.7291 |
| Windows 10 1809 / Server 2019 | KB5087538 | — | 10.0.17763.8755 |
| Windows 10 1607 / Server 2016 | KB5087537 | — | 10.0.14393.9140 |
| Windows Server 2025 (incl. Server Core) | KB5087539 | KB5087423 | 10.0.26100.32860 |
| Windows Server 2022 (incl. Server Core) | KB5087545 | KB5087424 | 10.0.20348.5139 |
| Windows Server 2022 23H2 (Server Core) | KB5087541 | — | 10.0.25398.2330 |
| Windows Server 2012 R2 | KB5087471 | — | 6.3.9600.23181 |
| Windows Server 2012 | KB5087470 | — | 6.2.9200.26079 |
Security Hotpatch updates (KB5089466, KB5087423, KB5087424) are available for Windows 11 24H2/25H2, Server 2025, and Server 2022. Hotpatching applies the fix in memory without requiring an immediate reboot, which is valuable for production server environments where uptime is critical.
Affected Systems and Versions
Based on the MSRC advisory and the patch matrix, the following Windows editions are confirmed affected:
Windows Client:
- Windows 11 version 26H1 (x64 and ARM64)
- Windows 11 version 24H2 and 25H2 (x64 and ARM64)
- Windows 11 version 23H2 (x64 and ARM64)
- Windows 10 version 22H2 (x64, ARM64, x86)
- Windows 10 version 21H2 (x64, ARM64, x86)
- Windows 10 version 1809 (x64, x86)
- Windows 10 version 1607 (x64, x86)
Windows Server:
- Windows Server 2025 (including Server Core)
- Windows Server 2022 23H2 (Server Core)
- Windows Server 2022 (including Server Core)
- Windows Server 2019 (version 1809)
- Windows Server 2016 (version 1607)
- Windows Server 2012 R2
- Windows Server 2012
The breadth of affected versions spans from legacy Server 2012 through the latest Windows 11 26H1 and Server 2025 releases, meaning virtually all supported Windows installations are in scope.
Vendor Security History
Elevation of privilege vulnerabilities are a recurring pattern in Microsoft's security updates. In 2025, EoP flaws accounted for 38.3 percent of all 1,130 Patch Tuesday CVEs. This persistent volume reflects the complexity of the Windows kernel and its many privilege boundaries, particularly in components like the TCP/IP stack that operate at high privilege levels and process concurrent operations at scale.
The May 2026 Patch Tuesday addressed 120 flaws total, with no zero days reported. CVE-2026-34351 was one of several networking stack fixes in this cycle.
References
- MSRC Advisory: CVE-2026-34351
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days (BleepingComputer)
- Microsoft Patch Tuesday 2025 Year in Review (Tenable)
- Tenable CVE Entry: CVE-2026-34351
- Desktop Operating System Market Share Worldwide (StatCounter)
- BleepingComputer May 2026 Patch Tuesday Report
- Microsoft Windows (Wikipedia)



