Any unpatched Windows machine on your network can be compromised via SMB or RDP. Without authentication. With SYSTEM privileges — the highest level in Windows, above any administrator, policy, or restriction. CVE-2026-46230 is not a theoretical risk. The PoC has been public since May 20. Nation-state actors have already incorporated the exploit into active campaigns.
The bug: RCE with SYSTEM in the kernel
The Windows kernel (ntoskrnl.exe) processes I/O Request Packets (IRPs) in the IoAllocateMdl routine. When it receives malformed IRPs, bounds validation fails. The result is memory corruption in kernel space — and an unauthenticated attacker can execute arbitrary code with SYSTEM privileges.
The exploit works through any service that forwards raw IOCTL requests:
- SMBv3 (port 445) — present on every Windows machine. File sharing, domain authentication, lateral movement. If SMB is accessible, the machine is a target.
- RDP (port 3389) — when using virtual channel extensions, the vulnerable interface is exposed.
- DirectAccess and VPN clients — expose the vulnerable interface even for attackers outside the corporate network.
It's not admin. It's SYSTEM. The highest level in Windows. Above any user, policy, or restriction. When the kernel executes arbitrary code with SYSTEM via a network protocol, no defense-in-depth replaces the patch.
The timeline: 8 days with a public exploit
The CVE-2026-46230 timeline shows how real the exposure window was:
- May 15: researcher privately reports the vulnerability to MSRC.
- May 20: PoC published on a public GitHub repository. From this point on, any attacker with network access can exploit the flaw.
- May 24: Microsoft confirms the vulnerability and assigns CVSS 9.8.
- May 28: out-of-band patch KB5029387 released — it did not wait for Patch Tuesday.
- June 2: CISA adds to KEV (expected), with a 14-day deadline for mandatory application on federal systems.
From public PoC to patch: 8 days. From patch to KEV: 5 days. The exposure window with a public exploit was real. And nation-state actors have already incorporated the exploit into campaigns targeting energy and manufacturing sectors. This is not theoretical — it is operational.
What is at risk: DCs, file servers, and VPN gateways
The severity of CVE-2026-46230 is not just in the CVSS 9.8 score. It is in the targets the vulnerability reaches:
Domain controllers: RCE with SYSTEM on a DC means total domain compromise. The attacker extracts all account hashes, modifies GPOs, and installs irreversible persistence. Recovery is not patching — it is rebuilding the domain from scratch.
File servers (SMB): the primary vector for lateral propagation. One compromised machine infects all machines sharing resources via SMB. In flat networks, a single compromised file server is the starting point for total compromise.
VPN gateways and RDP hosts: attack surface exposed to the internet. The attacker does not need to be inside the network — just access port 445 or 3389 via VPN or DirectAccess.
Any unpatched Windows 10 22H2, Server 2019, or Server 2022 is a target. If your network has these ports open between segments, the risk is lateral and scalable.
Immediate mitigation: patch and segment
Patch KB5029387 is available via Windows Update, WSUS, and Configuration Manager. It is out-of-band — do not wait for Patch Tuesday. Verify deployment with Get-HotFix or SCCM compliance baselines.
If you cannot patch right now, the mitigations are clear:
- Block SMB (445) and RDP (3389) at the perimeter firewall. No Windows machine needs these ports exposed to the internet. SMB exposed to the internet is not a theoretical risk — it is an open invitation.
- Segment domain controllers into an isolated VLAN. DC access should be restricted to legitimate authentication and replication services.
- Restrict RDP to a zero-trust gateway. RDP without an MFA-enabled gateway is the same as leaving the door open.
These mitigations are not optional. They are the minimum any Windows infrastructure should have — with or without an active CVE.
The lesson: the patch is mandatory, segmentation is the insurance
CVE-2026-46230 reinforces what should be standard practice: when the Windows kernel has RCE with SYSTEM via a network protocol, segmentation is the defense that remains. The patch is mandatory. Segmentation is the insurance.
Flat networks where any machine can reach any port on any segment are the ideal scenario for lateral propagation. A single compromised host becomes total compromise. Network architecture must assume that vulnerabilities like this will happen — and design segmentation to contain the blast radius.
At Tech86, we audit Windows infrastructure and implement zero-trust network segmentation. If your SMB is exposed to the internet, it is not a question of if it will be exploited — it is when.