Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Windows TCP/IP networking stack across Windows 10, 11, and Server versions allows unauthenticated network attackers to execute arbitrary code by exploiting a race condition in shared resource synchronization. The vulnerability affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released patches addressing this high-severity flaw (CVSS 8.1). No public exploit identified at time of analysis, though SSVC assessment
Technical ContextAI
The vulnerability resides in the Windows TCP/IP protocol stack implementation, specifically in concurrent execution logic where multiple threads or processes access shared network resources without proper synchronization primitives (CWE-362). Race conditions of this nature typically occur when time-of-check-to-time-of-use (TOCTOU) flaws allow attackers to manipulate state between validation and use operations. In network stack implementations, such vulnerabilities often arise in packet processing routines where buffer management, connection state handling, or memory allocation occurs across concurrent threads. The affected CPE range spans the entire Windows ecosystem including Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (22H3, 23H2, 24H2, 25H2, 26H1), and all Windows Server editions from 2012 through 2025, indicating the flaw exists in core TCP/IP code shared across these platforms for over a decade.
RemediationAI
Apply Microsoft security updates immediately to upgrade affected systems to patched versions. Windows 10 1607 and Server 2016 require build 10.0.14393.9060 or later. Windows 10 1809 and Server 2019 need build 10.0.17763.8644 or higher. Windows 10 21H2 requires build 10.0.19044.7184 minimum, while 22H2 needs 10.0.19045.7184. Windows 11 22H3 and 23H2 require build 10.0.22631.6936, version 24H2 needs 10.0.26100.32690, version 25H2 requires 10.0.26200.8246, and version 26H1 needs 10.0.28000.1836. Server 2012 requires 6.2.9200.26026, Server 2012 R2 needs 6.3.9600.23132, Server 2022 requires 10.0.20348.5020, Server 2022 23H2 needs 10.0.25398.2274, and Server 2025 requires 10.0.26100.32690. Patches available through Windows Update, WSUS, or Microsoft Update Catalog. For systems that cannot be immediately patched, implement network segmentation to limit exposure of vulnerable TCP/IP stacks to untrusted networks, though no complete workaround exists for this code-level flaw. Full remediation details at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827.
Same weakness CWE-362 – Race Condition
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22647
GHSA-84rj-w2f7-fjx4