CVE-2026-33824 – Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

This critical vulnerability affects the Windows Internet Key Exchange (IKE) service, specifically IKEv2, where improper memory handling allows a double free condition. An attacker can exploit this flaw remotely by sending specially crafted network packets, leading to full remote code execution. With no authentication or user interaction required, this issue represents a severe risk to exposed systems, particularly those using VPN or IPsec services.

CVSS Score: 9.8
SEVERITY: Critical
THREAT: Remote Code Execution

EXPLOITS:
No public exploits or proof-of-concept (PoC) code have been observed. The vulnerability is not publicly disclosed and is currently assessed as less likely to be exploited, though its characteristics make it highly attractive for threat actors.

TECHNICAL SUMMARY:
The vulnerability is caused by a double free condition (CWE-415) in the Windows IKE service extensions. This occurs when the system incorrectly handles memory deallocation during processing of IKEv2 packets. An attacker can send specially crafted packets to trigger the double free, leading to memory corruption. This corruption can be leveraged to execute arbitrary code in the context of the system, potentially granting full control over the affected machine. Because the attack occurs over the network and requires no authentication, it significantly increases the attack surface.

EXPLOITABILITY:
Affects Windows systems with IKEv2 enabled.
Exploitation is performed remotely via specially crafted UDP packets sent to ports 500 and 4500.

BUSINESS IMPACT:
This vulnerability poses a serious threat to enterprise environments, especially those relying on VPN or IPsec for secure communications. Successful exploitation can result in complete system compromise, allowing attackers to steal sensitive data, disrupt operations, or move laterally across the network. The lack of required user interaction makes this especially dangerous for internet-facing systems.

WORKAROUND:
Block inbound traffic on UDP ports 500 and 4500 if IKE is not required.
If IKE is necessary, restrict access to these ports to trusted IP addresses only.

URGENCY:
This vulnerability exposes systems to unauthenticated remote code execution with no user interaction required. Its low attack complexity and full system impact make it a prime candidate for rapid weaponization. Internet-facing systems running IKEv2 services are particularly at risk, and delaying patch deployment increases exposure to potential widespread attacks.