CVE-2026-26111
Published: 10 March 2026
Summary
CVE-2026-26111 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of flaws such as the integer overflow in RRAS to prevent exploitation.
Prohibits or restricts nonessential services like RRAS, eliminating exposure to this network-facing vulnerability on systems where it is not required.
Enforces boundary protections to monitor and control communications with RRAS, limiting unauthorized or malformed network traffic from reaching the vulnerable service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via malformed network traffic to the RRAS remote service (public-facing when enabled for VPN/remote access) by a low-privileged authenticated attacker directly enables remote service exploitation and privilege escalation to arbitrary code execution.
NVD Description
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
Deeper analysisAI
CVE-2026-26111 is an integer overflow or wraparound vulnerability in the Windows Routing and Remote Access Service (RRAS). It affects Microsoft Windows systems where RRAS is enabled, allowing potential exploitation through malformed network traffic processed by this component. The issue is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound), with a CVSS v3.1 base score of 8.0.
An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation enables arbitrary code execution on the target system, resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) without changing the scope (S:U).
Microsoft's Security Response Center (MSRC) provides mitigation guidance and patch details in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26111, published on 2026-03-10. Security practitioners should review this advisory for deployment instructions.
Details
- CWE(s)