Skip to content
Threat Feed
medium advisory

CVE-2026-35424: Windows IKE Protocol Memory Leak Denial-of-Service

CVE-2026-35424 is a denial-of-service vulnerability in the Windows Internet Key Exchange (IKE) Protocol caused by a missing release of memory after its effective lifetime, allowing an unauthenticated remote attacker to trigger a denial of service over a network.

CVE-2026-35424 describes a denial-of-service vulnerability affecting the Windows Internet Key Exchange (IKE) Protocol. The root cause is a failure to release memory after its effective lifetime. An unauthenticated attacker can exploit this vulnerability by sending specially crafted network packets to a vulnerable system, leading to a memory leak. Repeated exploitation exhausts system resources, resulting in a denial-of-service condition. This vulnerability poses a risk to systems relying on IKE for secure communication, potentially disrupting network services and impacting business operations.

Attack Chain

  1. An attacker identifies a target system running the Windows Internet Key Exchange (IKE) Protocol.
  2. The attacker crafts malicious IKE packets designed to trigger the memory leak.
  3. The attacker sends the crafted packets to the target system over the network, using UDP port 500 or 4500.
  4. The vulnerable IKE service on the target system processes the malicious packets.
  5. Due to the missing memory release, the IKE service fails to free allocated memory after processing each packet.
  6. Repeated sending of malicious packets leads to a progressive memory leak, consuming available system memory.
  7. As memory resources become exhausted, the system’s performance degrades significantly.
  8. Eventually, the system becomes unresponsive, resulting in a denial-of-service condition, impacting IKE-dependent services.

Impact

Successful exploitation of CVE-2026-35424 leads to a denial-of-service condition on the targeted Windows system. This can disrupt network services that rely on the IKE protocol, such as VPNs and IPsec tunnels. The impact ranges from degraded performance to complete system unresponsiveness, potentially affecting a single machine or an entire network segment depending on the scope of the attack and the system’s role.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-35424 as detailed in the Microsoft Security Response Center advisory [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35424].
  • Monitor network traffic for suspicious IKE packets originating from untrusted sources using the provided network connection Sigma rule.
  • Implement rate limiting on IKE traffic to mitigate the impact of potential exploitation attempts.

Detection coverage 1

Detect CVE-2026-35424 IKE DoS - High Volume Network Connections

medium

Detects CVE-2026-35424 exploitation attempt by monitoring high volume of network connections to IKE ports

sigma tactics: availability techniques: T1498 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →