CVE-2026-33824: Remote Code Ex... Note

CVE-2026-33824: Remote Code Execution in Windows IKEv2

TrendAI Research identified a double free vulnerability, CVE-2026-33824, in the Windows Internet Key Exchange (IKE) service, originally discovered by the WARP & MORSE team at Microsoft. This flaw, present in IKEv2's fragment processing, could lead to a crash of the IKEEXT service or arbitrary code execution. The vulnerability stems from improper ownership handling of a heap-allocated blob pointer during IKEv2 fragment reassembly within ikeext.dll. During the IKE_SA_INIT exchange, a Security Realm Vendor ID payload causes IkeHandleSecurityRealmVendorId() to allocate a blob, stored in the MMSA structure. When a fragmented IKE_AUTH message is reassembled, IkeReinjectReassembledPacket shallow-copies this blob pointer into a local stack struct. This struct is then shallow-copied into a heap-allocated work item by IkeQueueRecvRequest. The first free occurs when IkeDestroyPacketContext processes the work item and releases this shallow-copied blob pointer. The MMSA structure still holds the original pointer to the same allocation. The second free happens when the MMSA is cleaned up via IkeCleanupMMNegotiation, which eventually triggers IkeFreeMMSA, attempting to free the already released allocation. An unauthenticated, remote attacker can exploit this by sending a crafted IKE_SA_INIT message followed by two or more Encrypted Fragment payloads with an invalid IKE_AUTH message. Detection requires monitoring UDP ports 500 and 4500 for a specific IKE_SA_INIT sequence (including the Microsoft Security Realm Vendor ID) followed by a fragmented IKE_AUTH request containing a particular byte sequence. Microsoft patched this vulnerability in April 2026, recommending blocking inbound traffic on UDP ports 500 and 4500, or restricting traffic to known peer addresses, as temporary mitigations. Applying the vendor's update is the only full remediation.
CdXz5zHNQW_WT3iiMmsPg.jpeg