1 article
A CVSS 9.8 double-free vulnerability in the Windows Internet Key Exchange service allows unauthenticated remote attackers to achieve SYSTEM-level code execution on all supported Windows versions. With no user interaction required and confirmation of pre-patch exploitation, every unpatched Windows host with IKEv2 enabled is at immediate risk. Apply the April 2026 Patch Tuesday update or block UDP ports 500 and 4500 immediately.