ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35424 Windows IKE Protocol Memory Leak Denial of Service

A short review of CVE-2026-35424, a memory leak vulnerability in the Windows Internet Key Exchange (IKE) Protocol that enables unauthenticated remote denial of service. Includes patch details and affected version information.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35424 Windows IKE Protocol Memory Leak Denial of Service
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A memory leak in the Windows Internet Key Exchange (IKE) Protocol, patched in Microsoft's May 2026 Patch Tuesday cycle, allows an unauthenticated remote attacker to exhaust system memory and deny service to affected hosts. For any organization running Windows systems that process IKE traffic, particularly VPN gateways, domain controllers, and perimeter servers facing untrusted networks, this vulnerability represents a straightforward path to availability disruption without requiring any credentials or user interaction.

Technical Information

Root Cause

CVE-2026-35424 stems from CWE-401: Missing Release of Memory after Effective Lifetime. The Windows IKE Protocol implementation allocates memory during the processing of incoming IKE packets but fails to properly release that memory once it is no longer needed. This creates a memory leak that accumulates over time as the service handles traffic.

IKE is a fundamental component of the IPsec protocol suite, responsible for negotiating security associations for VPN tunnels and other encrypted network communications. It typically listens on UDP port 500 (and port 4500 for NAT traversal scenarios). Because IKE is a closed source Windows binary, no source code diff is publicly available; the fix is delivered through cumulative and security only updates.

CVSS Metric Analysis

The vulnerability carries a CVSS 3.1 Base Score of 7.5 and a Temporal Score of 6.5. The individual metric values paint a clear picture of the threat profile:

MetricValueImplication
Attack VectorNetworkRemotely exploitable across network hops
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo prior authorization or credentials needed
User InteractionNoneNo legitimate user participation required
Confidentiality ImpactNoneNo data disclosure
Integrity ImpactNoneNo data modification
Availability ImpactHighFull denial of service

The combination of network reachability, low complexity, and no authentication requirement makes this vulnerability particularly relevant for systems exposed to untrusted networks.

Attack Flow

An attacker targeting this vulnerability would follow a resource exhaustion strategy:

  1. Target identification: The attacker identifies a Windows system exposing IKE services, typically by probing UDP port 500 or port 4500.
  2. Crafted traffic generation: The attacker sends specially crafted IKE packets to the target. Each packet triggers a code path in the IKE service where memory is allocated but never freed.
  3. Sustained pressure: By maintaining a stream of these crafted packets over time, the attacker forces the target system to accumulate unreleased memory allocations.
  4. Resource exhaustion: As available system memory is consumed, the IKE service degrades. Depending on the system's memory capacity and workload, this can eventually cause the IKE service to fail entirely, and may impact other services competing for the same memory pool.

The key characteristic of this attack is that it does not require any valid IKE credentials or a completed security association negotiation. The memory leak is triggered during packet processing, before any authentication takes place.

Patch Information

Microsoft addressed CVE-2026-35424 with an official fix released on May 12, 2026, as part of the May 2026 Patch Tuesday security update cycle. The MSRC advisory sets the Remediation Level to "Official Fix," and the CVE.org record tags the advisory reference as both vendor-advisory and patch, confirming a complete vendor solution is available.

The patch corrects the IKE protocol's memory management so that allocated memory is properly freed once it is no longer needed, closing the leak path. Because IKE is a closed source binary, the fix is delivered through cumulative and security only updates across all affected Windows versions.

Below is a summary of the relevant Knowledge Base articles and their corresponding fixed build numbers:

Product FamilyKB Article(s)Fixed Build Number
Windows Server 2012 / 2012 (Server Core)KB50874706.2.9200.26079
Windows Server 2012 R2 / R2 (Server Core)KB50874716.3.9600.23181
Windows 10 1607 / Windows Server 2016KB508753710.0.14393.9140
Windows 10 1809 / Windows Server 2019KB508753810.0.17763.8755
Windows 10 21H2KB508754410.0.19044.7291
Windows 10 22H2KB508754410.0.19045.7291
Windows Server 2022KB5087545 (+ hotpatch KB5087424)10.0.20348.5139
Windows Server 2022, 23H2 EditionKB508754110.0.25398.2330
Windows 11 23H2KB508742010.0.22631.7079
Windows 11 24H2 / 25H2KB5089549 (+ hotpatch KB5089466)10.0.26100.8457 / 10.0.26200.8457
Windows Server 2025KB5087539 (+ hotpatch KB5087423)10.0.26100.32860
Windows 11 26H1KB508954810.0.28000.2113

A notable detail in this patch rollout is that several newer platforms, including Windows Server 2022, Windows Server 2025, and Windows 11 24H2/25H2, received both a standard cumulative security update and a separate Security Hotpatch Update. Hotpatching allows the fix to be applied in memory without requiring a full system reboot, which is particularly valuable for server workloads where uptime is critical.

To verify that a system is patched, administrators should compare the OS build number (accessible via winver or ver at a command prompt) against the fixed build numbers listed above. Any build at or above the listed threshold for the corresponding product is protected.

Affected Systems and Versions

Based on the patch information from the CVE.org record, the following Windows versions are confirmed affected:

  • Windows Server 2012 and Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 and Windows Server 2012 R2 (Server Core installation)
  • Windows 10 version 1607
  • Windows Server 2016 and Windows Server 2016 (Server Core installation)
  • Windows 10 version 1809
  • Windows Server 2019 and Windows Server 2019 (Server Core installation)
  • Windows 10 21H2
  • Windows 10 22H2
  • Windows Server 2022 and Windows Server 2022 (Server Core installation)
  • Windows Server 2022, 23H2 Edition (Server Core installation)
  • Windows 11 23H2
  • Windows 11 24H2
  • Windows 11 25H2
  • Windows Server 2025 and Windows Server 2025 (Server Core installation)
  • Windows 11 26H1

Any system running a build number below the fixed thresholds listed in the Patch Information section is vulnerable. Systems that do not have the IKE service active or that block IKE traffic at the network perimeter have reduced exposure but should still be patched.

Vendor Security History

Microsoft maintains a predictable monthly security update cadence. The May 2026 Patch Tuesday release addressed a significant volume of security flaws:

SourceTotal Vulnerabilities FixedZero Days Reported
BleepingComputer1200
IT Connect1200
The Hacker News1380

The absence of zero day vulnerabilities in this cycle provides a stable environment for administrators to test and deploy fixes through standard change management procedures. Microsoft's broad platform prevalence, with Windows 11 alone holding approximately 72.78 percent market share as of February 2026, means that vulnerabilities in core networking components like IKE carry significant aggregate risk across the installed base.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization