CVE-2026-33824
Double Free in Windows IKE Extension Enables Remote Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-17
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_10_1607 | to 10.0.14393.9060 (exc) |
| microsoft | windows_10_1607 | to 10.0.14393.9060 (exc) |
| microsoft | windows_10_1809 | to 10.0.17763.8644 (exc) |
| microsoft | windows_10_1809 | to 10.0.17763.8644 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_server_2016 | to 10.0.14393.9060 (exc) |
| microsoft | windows_server_2019 | to 10.0.17763.8644 (exc) |
| microsoft | windows_server_2022 | to 10.0.20348.5020 (exc) |
| microsoft | windows_server_2022_23h2 | to 10.0.25398.2274 (exc) |
| microsoft | windows_server_2025 | to 10.0.26100.32690 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthorized attacker to execute code remotely on affected systems, which can lead to full compromise of confidentiality, integrity, and availability of data.
Such a critical security flaw with a CVSS score of 9.8 can severely impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and maintaining system security to prevent unauthorized access.
Failure to address this vulnerability could result in breaches of protected data, leading to non-compliance with these regulations and potential legal and financial consequences.
Can you explain this vulnerability to me?
This vulnerability is a double free issue in the Windows IKE Extension. A double free occurs when a program attempts to free the same memory location twice, which can lead to memory corruption.
In this case, the flaw allows an unauthorized attacker to exploit the vulnerability remotely over a network to execute arbitrary code.
How can this vulnerability impact me? :
This vulnerability can have a critical impact as it allows remote code execution without requiring any privileges or user interaction.
- An attacker could run malicious code on your system remotely.
- This could lead to full system compromise, including theft of data, installation of malware, or disruption of services.
- The vulnerability has a high severity score of 9.8, indicating its potential for serious damage.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability allows remote code execution due to a double free in the Windows IKE Extension. Immediate mitigation steps typically involve applying security updates or patches provided by the vendor.
Since this vulnerability is critical and can be exploited remotely without user interaction, it is recommended to check for and install the latest security updates from Microsoft as soon as possible.