Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability

Plan PatchCVSS 7.5CVE-2026-35424May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Windows Internet Key Exchange (IKE) Protocol fails to properly release memory after its effective lifetime is exceeded. An unauthorized attacker can send crafted network packets to trigger a memory leak, causing the IKE service to consume increasing amounts of memory until the system becomes unresponsive. This denial of service impacts systems using IKE for VPN and IPSec remote access. Affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server (2016, 2019, 2022, 2025) across 32-bit, x64, and ARM64 architectures. Exploitation likelihood is assessed as unlikely, but vendors have released patches in the May 2026 security update cycle.

What this means

What could happen

An attacker on the network can send specially crafted IKE packets to cause a Windows system to consume memory and become unresponsive, disrupting remote access and VPN connectivity that may be critical to plant operations.

Who's at risk

Operators managing Windows-based systems that provide remote access or VPN connectivity, especially in hybrid OT environments where engineers need to access SCADA systems, HMIs, or control servers from offsite. This includes Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 installations in all architectures.

How it could be exploited

An attacker sends malicious IKE (Internet Key Exchange) protocol packets to a Windows machine's port 500 or 4500, exploiting a memory leak in the IKE handler. The target system accumulates memory that is never released, eventually exhausting available RAM and causing the system to stop responding to network requests.

Prerequisites

Network access to UDP ports 500 or 4500 (IKE ports) on the target Windows system
No authentication required
IKE service must be enabled (typically on systems with VPN, IPSec, or remote access configured)

remotely exploitableno authentication requiredlow complexityaffects availability of critical remote access infrastructurememory exhaustion can impact dependent OT systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict access to IKE ports (UDP 500 and 4500) from untrusted networks using firewall rules; allow only legitimate VPN client and partner networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the May 2026 Windows security update for your Windows version (Build 10.0.17763.8755 for Windows 10 v1809/Server 2019; Build 10.0.19044.7291 for Windows 10 v21H2; Build 10.0.19045.7291 for Windows 10 v22H2; Build 10.0.20348.5139 for Server 2022; Build 10.0.26100.32860 for Server 2025; appropriate builds for Windows 11 versions)

Long-term hardening

0/1

HARDENINGIf IKE/VPN/IPSec is not required, disable the IKE service to eliminate the attack surface

CVEs (1)

CVE-2026-35424

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e3dd321b-63e3-4227-8b1f-42d02f9305fe

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.