Microsoft fixed CVE-2026-33827 on April 14, 2026, a remote code execution flaw in the operating system’s TCP/IP stack. It shipped as part of the April Patch Tuesday, the same release that closed more than 160 bugs. This one stands out because it needs no credentials and no action from the victim: the right packet arriving at the right moment is enough.
The bug is a race condition (CWE-362). When Windows reassembles IPv6 fragments with IPSec enabled, the threads that verify the IPSec signature and the ones that manage fragment buffers don’t synchronize properly. Several threads can touch the same resource at once, and that leads to a use-after-free or double-free in kernel memory. If an attacker sends crafted IPv6 packets and wins the race, that memory corruption can turn into arbitrary code execution in kernel context. Full control of the machine.
The advisory rates it CVSS 8.1, critical severity. The Zero Day Initiative flagged it as potentially wormable: a network bug with no authentication and no interaction that, in theory, a worm could use to hop from machine to machine on its own. That’s not a label handed out casually, and it’s the reason to patch without waiting for the next maintenance window.
Who is affected
Exploitation has one important precondition: IPSec must be enabled on the target. That narrows the real attack surface considerably. The most exposed candidates are VPN gateways, DirectAccess or Always On VPN servers, site-to-site tunnel endpoints, and hosts running IPSec transport-mode policies. A home workstation with default settings usually has no IPSec active.
Winning the race requires precise timing, so this isn’t a trivial exploit to fire blindly. At disclosure there was no public proof of concept and no observed exploitation in the wild. Even so, the “remote + unauthenticated + kernel + wormable” combination puts it high on the priority list.
Mitigation
The fix ships with the cumulative April 2026 Patch Tuesday updates (KB5039218 or later, via Windows Update). Install them and the problem is gone.
If you can’t patch a specific machine right away, consider disabling IPSec where it isn’t needed, or applying rules that limit who can open IPsec sessions against those hosts. It doesn’t replace the patch, but it cuts exposure while you roll it out.
This CVE wasn’t the only serious one in the bulletin. The same day Microsoft closed a wormable RCE in the Windows IKE service at CVSS 9.8 and a SharePoint zero-day that was already under active attack. For the full picture, see our roundup of the April 2026 Patch Tuesday and the breakdown of the SharePoint zero-day. Support timelines and affected versions live on the Windows page.