CVE-2026-33824: Remote Code Execution in Windows IKEv2

Zero Day Initiative — CVE-2026-33824: Remote Code Execution in Windows IKEv2

CVE-2026-33824: Remote Code Execution in Windows IKEv2

April 23, 2026 | TrendAI Research Team

_In this excerpt of a TrendAI Research Services vulnerability report, Richard Chen and Lucas Miller of the TrendAI Research team detail a recently patched double free vulnerability in the Windows Internet Key Exchange (IKE) service. This bug was originally discovered by_ _WARP & MORSE team at Microsoft. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution. The following is a portion of their write-up covering CVE-2026-33824, with a few minimal modifications._

• * *

A double free vulnerability has been reported in the Windows Internet Key Exchange (IKEv2) service. The vulnerability is due to an error when processing fragments.

An unauthenticated, remote attacker could exploit this vulnerability by sending crafted packets to the target server. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution.

Microsoft Windows is an operating system which includes both server and desktop components along with an easy-to-use GUI. All currently supported versions of Windows include Internet Key Exchange Protocol Extensions to support the Virtual Private Network (VPN) feature.

The VPN feature of Windows encrypts communication between hosts. ISAKMP is a negotiation protocol used by IPsec-enabled hosts to build a security association. It uses the Internet Key Exchange (IKE) Protocol in order to negotiate keys for encrypted communication. IKE has two versions: IKEv1 and IKEv2. IKE version 1 (IKEv1) and version 2 (IKEv2) messages have the following general format:

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

Field Length (Bytes) Description ----------------------------------------------------------------------- IKE

__int64 IkeReinjectReassembledPacket{ void *pFragList, __int64 pMMSA, __int64 *pFragContext, __int64 pMMSACtx} { IKE_RECV_CONTEXT recvCtx; memset(&recvCtx, 0, 0xF0); dwReassembledSize = 0; status = WfpMemAlloc(pFragList->dwTotalSize); if ( !status ) { // Copy of fragment context fields (0xA8 bytes) recvCtx.sourceAddr = pFragContext[0]; // +0x00: source address [ ...address and metadata fields copied via SSE moves... ] recvCtx.destAddr = pFragContext[3]; // +0x30: dest address [ ...continued... ] recvCtx.pRealmBlobData_VULN = pFragContext[9]; // +0x90: SHALLOW COPY of blob ptr recvCtx.pMMSACtxData = pFragContext[20]; // +0xA0: MMSA context // Reassemble fragments into a single contiguous buffer pCurEntry = pFragList->pHead; pReassembledBuf = recvCtx.pReassembledBuf; while ( pCurEntry != pFragList ) { status = WfpUINT32Add(dwReassembledSize, pCurEntry->dwDataSize, &tmp); if ( status ) goto cleanup; memcpy(pReassembledBuf + dwReassembledSize, pCurEntry->pData, pCurEntry->dwDataSize); dwReassembledSize += pCurEntry->dwDataSize; pCurEntry = pCurEntry->pFlink; } [ ...IKEv2 header fixup omitted for readability... ] // Re-queue reassembled packet for IKEv2 processing status = IkeQueueRecvRequest(&recvCtx, 1); } cleanup: WfpMemFree(&recvCtx.pReassembledBuf); // FREE #1 PATH: ClearFragList iterates the fragment list ClearFragList(pFragList); if ( status ) WfpReportError(status, "IkeReinjectReassembledPacket"); return status; } __int64 IkeQueueRecvRequest(__int64 pRecvCtx, int a2) { status = WfpMemAlloc(0xF0); // Allocate heap work item if ( status ) goto error; pWorkItem = pWorkItemAlloc; // Shallow copy of entire IKE_RECV_CONTEXT (0xF0 bytes) into heap // work item. *(OWORD *)pWorkItem = *(OWORD *)pRecvCtx; // +0x00 *(OWORD *)(pWorkItem + 1) = *(OWORD *)(pRecvCtx + 1); // +0x10 [ ...14 more 16-byte copies... ] *(OWORD *)(pWorkItem + 14) = *(OWORD *)(pRecvCtx + 14);// +0xE0 // Deep-copy the reassembly buffer (offset +0x10) status = WfpMemAlloc(*(DWORD *)(pRecvCtx + 24)); [ ...memcpy of reassembly buffer... ] // Queue for thread pool processing IkeQueueWorkItem(IkeHandleRecvRequest, pWorkItem); [ ...

This vulnerability was patched by Microsoft in the April 2026 release cycle. They do note two mitigations that could prevent exploitation while the patch is being tested and deployed.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

[zdi@trendmicro.com](mailto:zdi@trendmicro.com)

Find us on X

Find us on Mastodon

[media_relations@trendmicro.com](mailto:media_relations@trendmicro.com)