Windows TCP/IP Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-34351May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A race condition in the Windows TCP/IP kernel component allows a local attacker with standard user privileges to elevate to administrative privileges. The vulnerability exists in concurrent execution of shared TCP/IP resources with improper synchronization. This affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022 (including 23H2 edition), and Windows Server 2025, on 32-bit, x64, and ARM64 architectures.

What this means

What could happen

A local attacker with standard user credentials can exploit a race condition in the Windows TCP/IP stack to gain administrative privileges on the system, potentially allowing them to modify network configurations, install malware, or compromise operational processes running on that host.

Who's at risk

Windows 10 (all versions), Windows 11 (all versions), Windows Server 2016, 2019, 2022, and 2025. This impacts organizations running these operating systems on engineering workstations, HMI servers, data historians, and any OT-adjacent IT infrastructure that also hosts these systems. Water utilities and electric utilities using Windows-based SCADA servers, RTUs, or networked control systems are at risk if they run affected Windows versions.

How it could be exploited

An attacker with a standard user account on the Windows system can repeatedly trigger specific TCP/IP operations in a carefully timed manner to exploit a synchronization flaw in the kernel. By winning the race condition, the attacker's code runs with elevated privileges.

Prerequisites

Local access to the Windows system
Standard user-level credentials or ability to execute code in user context
No remote exploitation possible

Local privilege escalationLow attack complexityRequires standard user credentials or local code executionAffects all major Windows versions in current support

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXApply the 2026-May Windows security update from Microsoft to your affected Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or 2025 systems.

Long-term hardening

0/1

HARDENINGRestrict local access to Windows systems to only authorized personnel with a documented business need; remove unnecessary local accounts.

CVEs (1)

CVE-2026-34351

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/76435e29-1b56-4179-9f00-5046d8f21689

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.