External risk intelligence

Windows Kernel Use-After-Free Allows Network Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-45657

A use-after-free vulnerability in the Windows Kernel allows an unauthorized attacker to execute code over a network. This critical flaw could lead to remote code execution, potentially impacting system integrity and availability. It is uncertain if the affected technology is present or reachable within our environment.

3Halo Surface Signal

Use After Free

Microsoft Windows 11 23h2

before 10.0.22631.7219before 10.0.26100.8655before 10.0.26200.8655before 10.0.28000.2269before 10.0.20348.5256before 10.0.26100.32995

External exposure likelihood

Halo Surface Signal score for CVE-2026-45657

The vulnerability exists within the Windows Kernel and is described as network-reachable. While kernel-level vulnerabilities can be reached via network protocols, they are typically protected by network boundaries, firewalls, or NAT and are not inherently public-facing services by design.

PCI scan relevance

PCI Relevance for CVE-2026-45657

Yes

CVE-2026-45657 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical Windows Kernel vulnerability allows remote code execution, which would likely cause a PCI ASV scan to fail and requires remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the Windows Kernel, rated with a CVSS score of 9.8, could allow an unauthorized attacker to execute code over a network. The primary concern at this stage is to confirm if our environment utilizes the affected technology and assess potential exposure.

Unauthenticated network attacks can run malicious code.
Kernel-level flaws can bypass normal security layers.
Assess if our Windows systems are at risk.

Attack Path

How an attacker could exploit the issue

A network-based attacker could exploit a use-after-free flaw in the Windows Kernel to execute arbitrary code remotely. This vulnerability does not require any special privileges or user interaction, allowing an unauthorized attacker to gain control over a vulnerable system.

No authentication or privileges needed.
Triggered via network interaction.
Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A use-after-free vulnerability in the Windows Kernel could allow an unauthorized attacker to execute code over a network. This means that when supported by the advisory, an attacker could potentially compromise the integrity and availability of the system through network-based code execution.

System data and service behavior.
Network access for code execution.
Unauthorized code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical Windows Kernel vulnerability, allowing unauthenticated remote code execution, requires immediate attention from infrastructure and security teams. The first practical step is to identify all systems running the affected Windows Kernel, confirm their network reachability and business criticality, and then assign ownership for remediation planning.

Infrastructure and security teams own the issue.
Verify network exposure and system criticality first.
Plan remediation based on identified risk.

Frequently asked questions

What is the Windows Kernel and how does it relate to CVE-2026-45657?

The Windows Kernel is the core component of the operating system that manages hardware resources and provides fundamental services to applications. Because it sits at the lowest level of software, a flaw here like CVE-2026-45657 is severe, as it grants unauthorized access to the most powerful part of the system.

What is a use-after-free vulnerability?

A use-after-free, categorized under CWE-416, occurs when software continues to use a memory address after that memory has been cleared or released. If an attacker can manipulate this state, they may be able to force the system to perform unintended actions or execute unauthorized code within the kernel's memory space.

How does an attacker trigger this kernel vulnerability?

An attacker triggers this flaw by sending specifically crafted data over the network to the Windows Kernel. Importantly, this does not require local access, user interaction, or valid credentials to succeed. It is not triggered by standard, benign network traffic, but rather by malformed requests designed to exploit the memory management error.

Is my network-connected system at risk according to Halo Surface Signal?

Halo Surface Signal notes that while this vulnerability is reachable over a network, the Windows Kernel is not typically exposed as a public-facing service. Systems are most at risk if they are directly connected to the internet; however, those protected by firewalls, network boundaries, or NAT may have an reduced likelihood of reachability.

How should I begin addressing CVE-2026-45657?

Your first step is to create an inventory of all systems in your environment running the affected Windows Kernel versions. Once identified, evaluate which of these systems are reachable over the network and prioritize those that are critical to your business operations for upcoming remediation planning.

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45657

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.