Cyber Resilience

CVE-2026-33824

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5585 98.9th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-33824 is a critical-severity Double Free (CWE-415) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33824 is a double free vulnerability (CWE-415) in the Windows IKE Extension. This flaw affects Windows systems that utilize the IKE Extension component for Internet Key Exchange operations. Published on 2026-04-14T18:17:34.767, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthorized attacker can exploit this vulnerability remotely over the network without requiring authentication, privileges, or user interaction. Exploitation triggers a double free condition, enabling arbitrary code execution on the target system and resulting in high impacts to confidentiality, integrity, and availability.

Microsoft provides guidance on this vulnerability through its Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824.

EU & UK References

Vulnerability details

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The double free vulnerability in the Windows IKE Extension component allows remote unauthenticated attackers to trigger arbitrary code execution over the network, directly enabling exploitation of remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33838Same product: Microsoft Windows 10 1607
CVE-2026-34329Same product: Microsoft Windows 10 1607
CVE-2026-33827Same product: Microsoft Windows 10 1607
CVE-2026-26163Same product: Microsoft Windows 10 1607
CVE-2026-20832Same product: Microsoft Windows 10 1607
CVE-2025-49688Same product: Microsoft Windows Server 2016
CVE-2026-32069Same product: Microsoft Windows 10 1809
CVE-2026-32074Same product: Microsoft Windows 10 1809
CVE-2025-21248Same product: Microsoft Windows 10 1607
CVE-2026-23669Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2016
≤ 10.0.14393.9060
microsoft
windows server 2019
≤ 10.0.17763.8644
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like this double free vulnerability through patching, directly preventing exploitation.

prevent

Enforces memory protections such as DEP and ASLR that mitigate double free exploitation leading to code execution.

prevent

Implements boundary protections to restrict network access to the vulnerable IKE Extension service, reducing remote attack opportunities.

References