Microsoft’s April 14, 2026 Patch Tuesday fixed one of the most serious Windows flaws of the year. CVE-2026-33824 is a double free in the Windows IKE (Internet Key Exchange) extension, the component that negotiates IPsec and VPN connections. It carries a CVSS of 9.8, squarely in the critical range, and the vector is what makes it dangerous: an attacker with no credentials can trigger it across the network.
What it actually is
IKE is the protocol two endpoints use to agree on encryption keys before bringing up an IPsec tunnel. On Windows the IKEEXT service handles this, implemented in IKEEXT.dll. The flaw (classified as CWE-415, double free) sits in the logic that processes IKEv2 messages, specifically the SA_INIT phase of the exchange. When handling crafted packets, the memory management routines free the same heap buffer twice. That second free() on already-released memory is the classic foundation for corrupting the heap and, with enough effort, redirecting execution.
Because IKEEXT runs with system privileges, a successful exploit grants code execution at SYSTEM level. No user interaction is involved: sending the traffic is enough.
Who it affects
The list of affected versions is broad. It covers Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H2 onward, including 24H2 and 25H2) and Windows Server 2016 and later. In practice, any Windows machine with IPsec or a VPN configured that listens on UDP ports 500 and 4500 is in scope.
The most worrying detail is that the Zero Day Initiative flags it as wormable. An attacker doesn’t need a specific target: the code can jump from one vulnerable machine to the next automatically, the way EternalBlue and WannaCry did. That turns a single internet-exposed host into an entry point for an entire internal network.
Severity and exploitation
CVSS 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H: network, low complexity, no privileges, no interaction, full impact on confidentiality, integrity and availability. At patch time Microsoft had not marked it as exploited in the wild, but the wormable potential and the simplicity of the vector make it a prime candidate for patch reverse-engineering followed by abuse. Public analyses of the flaw are already circulating, so the window to act is narrow.
Mitigation
Apply the April 2026 update as soon as possible; it’s the definitive fix. If you can’t patch right away, Microsoft suggests two measures:
- On machines that don’t use IKE, block inbound traffic on UDP ports 500 and 4500.
- On machines that do need IPsec, restrict those ports so they only accept traffic from known peer addresses.
It’s also worth auditing which machines expose IKE to the internet, since that’s where the risk of automatic propagation is highest. If you run Windows servers in a domain, prioritise domain controllers and edge hosts.
This patch shipped in the same Patch Tuesday that fixed other critical Windows RCEs, so it makes sense to run the full Windows update cycle rather than patching in isolation.