Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Windows Internet Key Exchange (IKE) Service Extensions IKEv2 Double-Free Remote Code Execution

IdentifiersCVE-2026-33824CWE-415· Double Free

CVE-2026-33824 is a critical remote code execution vulnerability in Windows Internet Key Exchange (IKE) Service Extensions, specifically described as a double-free condition in ikeext.dll. The flaw is reachable in the IKEv2 processing path and can be triggered pre-authentication by sending specially crafted network packets to a Windows system with IKEv2 enabled. Public reporting in the provided content consistently characterizes the vulnerable surface as Windows hosts acting as IKEv2 responders, including RRAS VPN, DirectAccess, and Always-On VPN infrastructure. Successful exploitation is reported to result in code execution in the context of LocalSystem.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful exploit allows unauthenticated remote code execution against exposed Windows systems. Because the vulnerable service runs with high privilege, reported exploitation impact includes execution as LocalSystem, enabling full system compromise. On affected enterprise systems this can plausibly support takeover of VPN or IPsec endpoints, theft of sensitive data, disruption of secure connectivity, persistence, and lateral movement from a trusted network edge or tunnel termination point.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by blocking or restricting inbound IKE/IKEv2 traffic at the perimeter. The provided content specifically recommends blocking inbound UDP ports 500 and 4500 where IKE is not required. Where IKE must remain enabled, restrict inbound UDP 500/4500 to known peer addresses only. Prioritize externally reachable VPN gateways, RRAS servers, DirectAccess systems, and other IPsec/IKE responders for compensating controls until patches are deployed.

Remediation

Patch, then assume compromise.

Apply the Microsoft security updates for affected Windows versions. The provided content maps CVE-2026-33824 to Microsoft updates including, among others: Windows Server 2025 / Windows 11 24H2 KB5082063; Windows Server 2022 23H2 KB5082060; Windows Server 2022 KB5082142; Windows Server 2019 / Windows 10 1809 KB5082123; Windows Server 2016 / Windows 10 1607 KB5082198; Windows 11 23H2 KB5082052; Windows 11 25H2 KB5083769; Windows 11 26H1 KB5083768; Windows 10 21H2 and 22H2 KB5082200. After patching, validate that VPN tunnels, IPsec connectivity, authentication flows, DirectAccess, RRAS, and Always-On VPN functionality continue to operate correctly.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindowsoperating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Ike Extensionoperating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

43 SOURCESView more in app
cyberthroneNews
May 14, 2026
Microsoft MDASH: When the Machine Becomes the Red Team - TheCyberThrone

A critical pre-authentication remote code execution double-free vulnerability in Windows IKEEXT (ikeext.dll) reachable over UDP/500 against IKEv2 responders, leading to code execution as LocalSystem.

Read more
bugflationNews
May 12, 2026
Microsoft MDASH publishes 16 Windows networking and authentication CVEs - Bugflation

A critical unauthenticated remote code execution vulnerability in Windows ikeext.dll caused by an IKEv2 double-free that can result in LocalSystem code execution.

Read more
sophos threat researchNews
Apr 17, 2026
Microsoft addresses 163 CVEs, 88 advisories for April Patch Tuesday | SOPHOS

A critical remote code execution vulnerability in Windows Internet Key Exchange (IKE) Service Extensions with CVSS 9.8, affecting secure IPsec association negotiation and potentially broad connectivity exposure.

Read more
the hacker newsNews
Apr 15, 2026
Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities

A critical remote code execution vulnerability in Windows Internet Key Exchange (IKE) Service Extensions that can be exploited by sending specially crafted packets to a Windows machine with IKEv2 enabled.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity30

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-33824
NVD
nvd.nist.gov/vuln/detail/CVE-2026-33824
MITRE CWE · CWE-415
Double Free
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824