CVE-2026-34332: Windows Kernel-Mode Driver Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack vector is network (AV:N), user interaction is required (UI:R), and privileges required are low (PR:L). What does that mean for this vulnerability? Exploitation of this vulnerability requires an authorized attacker on the domain to wait for a user to initiate a connection to a malicious server that the attacker has set up prior to the user connecting. How could an attacker exploit the vulnerability? An attacker could exploit this vulnerability by sending a specially crafted NVMe over Fabrics (NVMe‑oF) response message during the connection handshake process that contains an invalid header length value.

Affected Products (2)

Windows

• Windows Server 2025 (Server Core installation)
• Windows Server 2025

Security Updates (2)

• 5087539
• 5087423

Acknowledgments

Microsoft Offensive Research & Security Engineering

Revision History

• 2026-05-12: Information published.