Introduction
A memory leak in the Windows Internet Key Exchange (IKE) Protocol, patched in Microsoft's May 2026 Patch Tuesday cycle, allows an unauthenticated remote attacker to exhaust system memory and deny service to affected hosts. For any organization running Windows systems that process IKE traffic, particularly VPN gateways, domain controllers, and perimeter servers facing untrusted networks, this vulnerability represents a straightforward path to availability disruption without requiring any credentials or user interaction.
Technical Information
Root Cause
CVE-2026-35424 stems from CWE-401: Missing Release of Memory after Effective Lifetime. The Windows IKE Protocol implementation allocates memory during the processing of incoming IKE packets but fails to properly release that memory once it is no longer needed. This creates a memory leak that accumulates over time as the service handles traffic.
IKE is a fundamental component of the IPsec protocol suite, responsible for negotiating security associations for VPN tunnels and other encrypted network communications. It typically listens on UDP port 500 (and port 4500 for NAT traversal scenarios). Because IKE is a closed source Windows binary, no source code diff is publicly available; the fix is delivered through cumulative and security only updates.
CVSS Metric Analysis
The vulnerability carries a CVSS 3.1 Base Score of 7.5 and a Temporal Score of 6.5. The individual metric values paint a clear picture of the threat profile:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Remotely exploitable across network hops |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No prior authorization or credentials needed |
| User Interaction | None | No legitimate user participation required |
| Confidentiality Impact | None | No data disclosure |
| Integrity Impact | None | No data modification |
| Availability Impact | High | Full denial of service |
The combination of network reachability, low complexity, and no authentication requirement makes this vulnerability particularly relevant for systems exposed to untrusted networks.
Attack Flow
An attacker targeting this vulnerability would follow a resource exhaustion strategy:
- Target identification: The attacker identifies a Windows system exposing IKE services, typically by probing UDP port 500 or port 4500.
- Crafted traffic generation: The attacker sends specially crafted IKE packets to the target. Each packet triggers a code path in the IKE service where memory is allocated but never freed.
- Sustained pressure: By maintaining a stream of these crafted packets over time, the attacker forces the target system to accumulate unreleased memory allocations.
- Resource exhaustion: As available system memory is consumed, the IKE service degrades. Depending on the system's memory capacity and workload, this can eventually cause the IKE service to fail entirely, and may impact other services competing for the same memory pool.
The key characteristic of this attack is that it does not require any valid IKE credentials or a completed security association negotiation. The memory leak is triggered during packet processing, before any authentication takes place.
Patch Information
Microsoft addressed CVE-2026-35424 with an official fix released on May 12, 2026, as part of the May 2026 Patch Tuesday security update cycle. The MSRC advisory sets the Remediation Level to "Official Fix," and the CVE.org record tags the advisory reference as both vendor-advisory and patch, confirming a complete vendor solution is available.
The patch corrects the IKE protocol's memory management so that allocated memory is properly freed once it is no longer needed, closing the leak path. Because IKE is a closed source binary, the fix is delivered through cumulative and security only updates across all affected Windows versions.
Below is a summary of the relevant Knowledge Base articles and their corresponding fixed build numbers:
| Product Family | KB Article(s) | Fixed Build Number |
|---|---|---|
| Windows Server 2012 / 2012 (Server Core) | KB5087470 | 6.2.9200.26079 |
| Windows Server 2012 R2 / R2 (Server Core) | KB5087471 | 6.3.9600.23181 |
| Windows 10 1607 / Windows Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows 10 1809 / Windows Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 21H2 | KB5087544 | 10.0.19044.7291 |
| Windows 10 22H2 | KB5087544 | 10.0.19045.7291 |
| Windows Server 2022 | KB5087545 (+ hotpatch KB5087424) | 10.0.20348.5139 |
| Windows Server 2022, 23H2 Edition | KB5087541 | 10.0.25398.2330 |
| Windows 11 23H2 | KB5087420 | 10.0.22631.7079 |
| Windows 11 24H2 / 25H2 | KB5089549 (+ hotpatch KB5089466) | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows Server 2025 | KB5087539 (+ hotpatch KB5087423) | 10.0.26100.32860 |
| Windows 11 26H1 | KB5089548 | 10.0.28000.2113 |
A notable detail in this patch rollout is that several newer platforms, including Windows Server 2022, Windows Server 2025, and Windows 11 24H2/25H2, received both a standard cumulative security update and a separate Security Hotpatch Update. Hotpatching allows the fix to be applied in memory without requiring a full system reboot, which is particularly valuable for server workloads where uptime is critical.
To verify that a system is patched, administrators should compare the OS build number (accessible via winver or ver at a command prompt) against the fixed build numbers listed above. Any build at or above the listed threshold for the corresponding product is protected.
Affected Systems and Versions
Based on the patch information from the CVE.org record, the following Windows versions are confirmed affected:
- Windows Server 2012 and Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2 and Windows Server 2012 R2 (Server Core installation)
- Windows 10 version 1607
- Windows Server 2016 and Windows Server 2016 (Server Core installation)
- Windows 10 version 1809
- Windows Server 2019 and Windows Server 2019 (Server Core installation)
- Windows 10 21H2
- Windows 10 22H2
- Windows Server 2022 and Windows Server 2022 (Server Core installation)
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows 11 23H2
- Windows 11 24H2
- Windows 11 25H2
- Windows Server 2025 and Windows Server 2025 (Server Core installation)
- Windows 11 26H1
Any system running a build number below the fixed thresholds listed in the Patch Information section is vulnerable. Systems that do not have the IKE service active or that block IKE traffic at the network perimeter have reduced exposure but should still be patched.
Vendor Security History
Microsoft maintains a predictable monthly security update cadence. The May 2026 Patch Tuesday release addressed a significant volume of security flaws:
| Source | Total Vulnerabilities Fixed | Zero Days Reported |
|---|---|---|
| BleepingComputer | 120 | 0 |
| IT Connect | 120 | 0 |
| The Hacker News | 138 | 0 |
The absence of zero day vulnerabilities in this cycle provides a stable environment for administrators to test and deploy fixes through standard change management procedures. Microsoft's broad platform prevalence, with Windows 11 alone holding approximately 72.78 percent market share as of February 2026, means that vulnerabilities in core networking components like IKE carry significant aggregate risk across the installed base.
References
- MSRC Advisory: CVE-2026-35424
- NVD Entry: CVE-2026-35424
- CVE.org Record: CVE-2026-35424
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- The Hacker News: Microsoft Patches 138 Vulnerabilities
- IT Connect: Patch Tuesday May 2026
- Windows Central: Windows 11 Market Share February 2026



