Windows Kernel-Mode Driver Remote Code Execution Vulnerability
Plan PatchCVSS 8CVE-2026-34332May 12, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
A use-after-free vulnerability exists in Windows Server 2025 kernel-mode drivers. An authorized attacker with valid credentials can exploit this flaw over the network to execute arbitrary code at the kernel level, potentially compromising the entire system. The vulnerability requires user interaction (opening a malicious file or link) but once triggered, provides complete system control.
What this means
What could happen
A logged-in attacker with local or domain credentials could trigger a kernel-mode driver crash and inject malicious code, potentially gaining full control of the Windows Server system and any connected industrial processes or historians it manages.
Who's at risk
Water authorities and electric utilities that use Windows Server 2025 for historians, data logging, SCADA interfaces, or engineering workstations are affected. Any critical server running this operating system should be prioritized.
How it could be exploited
An attacker with valid Windows credentials initiates a network request that triggers a use-after-free condition in a kernel-mode driver. The attacker then injects code that executes at kernel level, bypassing normal application restrictions and gaining control of the entire system.
Prerequisites
- Valid Windows domain or local user credentials
- Network access to the affected Windows Server system
- User interaction required (a privileged user must open a malicious file or follow a link)
Remotely exploitableAuthentication required (valid credentials)Low complexity attackAffects server operating systems used in OT environmentsHigh impact (kernel-level code execution)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
Windows Server 2025
HOTFIXApply Microsoft May 2026 security update (Build 10.0.26100.32860 or later) to all Windows Server 2025 systems
Long-term hardening
0/2Windows Server 2025
HARDENINGRestrict network access to Windows Server 2025 systems to only authorized administrative and process control networks
HARDENINGDisable or remove unnecessary kernel-mode drivers on Windows Server 2025 systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0150f2b9-feb3-4b1b-8434-aa268648f9c3Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.