🌐 Network

Wormable Windows TCP/IP Race Condition RCE (CVE-2026-33827) — IPv6-Enabled Networks Face EternalBlue-Class Propagation Risk

A race condition in the Windows TCP/IP stack allows unauthenticated remote code execution against systems with IPv6 or IPSec enabled, demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday. The vulnerability's wormable characteristics — no user interaction, no authentication, network-adjacent propagation — place it in the same risk category as EternalBlue for environments that have not applied the April update.

4 min read
#windows#tcpip#rce#wormable#ipv6#ipsec#patch-tuesday#cvss-critical

CVE-2026-33827 is a race condition in the Windows TCP/IP network driver that allows an unauthenticated attacker on an adjacent network to execute arbitrary code on affected systems without user interaction. It was demonstrated at Pwn2Own 2026 before Microsoft’s April Patch Tuesday and patched in the same release. Its CVSS score of 8.1 understates the operational risk: the vulnerability is wormable.

The Technical Specifics

The race condition exists in the Windows TCP/IP stack’s handling of IPv6 and IPSec traffic. An attacker sends a sequence of specially crafted packets that trigger a timing window in memory management, resulting in a write primitive that can be developed into code execution at kernel privilege. The attack requires network adjacency — the attacker must be on a network segment that can reach the target — but requires no authenticated session, no service interaction, and no victim action.

Wormable means a compromised host can autonomously scan its network segment for additional vulnerable systems and exploit them without attacker involvement. The comparison to EternalBlue — the exploit behind WannaCry and NotPetya — is apt not because the vulnerability mechanisms are similar, but because the propagation characteristics are: unauthenticated, no user interaction, spreads host-to-host.

This is a distinct vulnerability from CVE-2026-33824, the Windows IKE service RCE covered previously. That flaw was in the IKE key exchange service. CVE-2026-33827 is in the base TCP/IP driver — a different code path, a different attack surface, patched in the same Patch Tuesday update.

Affected Scope

All Windows 10 and 11 versions, and Windows Server 2016 through 2025, are affected when IPv6 is enabled on any network interface. IPv6 is enabled by default on all modern Windows installations. IPSec configurations provide an alternative attack path on systems where IPv6 may be disabled.

The network adjacency requirement provides partial natural containment — an attacker needs to be on the same subnet or directly routed network segment. In practice, enterprise flat networks, wireless guest segments with access to internal subnets, and cloud VPC environments where multiple tenants share an adjacent routing domain all reduce the isolation this requirement implies.

Why This Requires Immediate Attention

April 2026 Patch Tuesday received significant coverage for its two zero-days and its volume of 167 CVEs. CVE-2026-33827 was patched in the same release but received less attention than the SharePoint and Kerberos vulnerabilities. Pwn2Own demonstrations produce public interest without always producing immediate operational urgency; the result is that organisations may have deprioritised this vulnerability relative to others in the same Patch Tuesday.

The wormable characteristic changes the calculus. A single unpatched host on a network segment is not just a risk to itself — it is a potential beachhead for worm propagation to every other unpatched host on the same segment. Given that April Patch Tuesday is less than two weeks old, the percentage of enterprise environments that have fully deployed the patch across all hosts remains below 100%.

  • Treat April 2026 Patch Tuesday deployment as highest priority if not already complete, specifically targeting servers and network-adjacent hosts. Workstations matter; servers on shared network segments matter more.
  • Inventory IPv6 status: If your environment does not use IPv6 for any operational purpose, disabling it on all interfaces via Group Policy is a valid temporary compensating control. Use Get-NetAdapterBinding -ComponentID ms_tcpip6 to audit current status at scale.
  • Segment IPv6 broadcast domains: If IPv6 must remain enabled, ensure network segmentation limits the blast radius of worm propagation. Flat networks where all hosts are adjacent are highest risk.
  • Monitor for exploitation indicators: Anomalous TCP/IP scanning from internal hosts — particularly high-rate, destination-diverse connection attempts from a single source on a short time window — is a signal of worm activity. Alert on this pattern in your SIEM.
  • Prioritise patch deployment on Windows Server hosts running on shared hypervisors or in cloud environments where network adjacency with other tenants is possible.

Share this article