CVE-2026-33824: CVE-2026-33824: Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

CVE-2026-33824: Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Vulnerability ID: CVE-2026-33824
CVSS Score: 9.8
Published: 2026-04-14

A double-free vulnerability in the Windows IKE Extension service allows unauthenticated remote attackers to achieve arbitrary code execution with SYSTEM privileges by sending malformed IKEv2 payloads.

TL;DR

CVE-2026-33824 (BlueHammer) is an actively exploited, zero-click remote code execution vulnerability in the Windows IKE service (IKEEXT). It leverages a double-free condition during SA_INIT packet parsing to bypass mitigations and execute arbitrary code as SYSTEM.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE ID: CWE-415
• Attack Vector: Network (UDP 500/4500)
• CVSS Score: 9.8
• EPSS Score: 0.00067
• Impact: Unauthenticated RCE as SYSTEM
• Exploit Status: Active Exploitation

Affected Systems

• Windows 11 (22H2, 23H2, 24H2, 25H2, 26H1)
• Windows 10 (1607, 1809, 21H2, 22H2)
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
• Windows 11: 22H2, 23H2, 24H2, 25H2, 26H1 (Fixed in: 10.0.22631.6936+)
• Windows 10: 1607, 1809, 21H2, 22H2 (Fixed in: 10.0.14393.9060+)
• Windows Server: 2016, 2019, 2022, 2025 (Fixed in: April 2026 Cumulative Update)

Exploit Details

• GitHub: Mirror of the original BlueHammer PoC and exploitation analysis.

Mitigation Strategies

• Apply Microsoft April 2026 Cumulative Updates to all affected Windows endpoints and servers.
• Disable the 'IKE and AuthIP IPsec Keying Modules' (IKEEXT) service if IPsec or VPN functionality is not required.
• Implement network perimeter filtering to block inbound UDP port 500 and 4500 traffic unless strictly required for known VPN endpoints.

Remediation Steps:

1. Inventory all public-facing Windows Server assets to identify active IKE/IPsec services.
2. Deploy the April 2026 security patches targeting the specific Windows builds (e.g., 10.0.22631.6936+ for Windows 11).
3. Reboot affected servers to ensure the patched IKEEXT.dll is loaded into memory.
4. Verify the update installation via Windows Update logs or configuration management tooling.
5. Review network telemetry on UDP 500/4500 for the weeks preceding the patch deployment to identify potential zero-day compromise.

References

• Microsoft Security Update Guide - CVE-2026-33824
• CVE Record for CVE-2026-33824
• CrowdStrike Patch Tuesday Analysis (April 2026)
• SANS ISC Diary - Microsoft Patch Tuesday April 2026
• GitHub Exploit Repo (Mirror/PoC)

---

Read the full report for CVE-2026-33824 on our website for more details including interactive diagrams and full exploit analysis.