CVE-2026-33824: Windows IKE Double-Free RCE

Overview

CVE-2026-33824 is a pre-authentication remote code execution vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions component, patched in Microsoft's April 2026 Patch Tuesday. A double-free condition in the IKEv2 packet parser allows an unauthenticated remote attacker to corrupt heap memory and achieve arbitrary code execution at SYSTEM privilege — with no user interaction required.

The vulnerability was exploited as a zero-day by threat group BlueHammer before the patch was available. Post-compromise analysis confirmed BlueHammer used the exploit to establish initial footholds on perimeter systems before pivoting laterally into enterprise networks. It was one of two CVSS 9.8 vulnerabilities in the April 2026 cycle, alongside CVE-2026-33827 (Windows TCP/IP stack RCE).

What is Windows IKE?

Internet Key Exchange (IKEv2) is the protocol used to establish and manage IPsec security associations — the cryptographic tunnels underpinning Windows VPN connections, DirectAccess, and encrypted site-to-site networking. The IKE service listens on UDP port 500 for standard IKE negotiation and UDP port 4500 for NAT traversal. Both ports are typically open on VPN concentrators, firewalls, and any Windows host participating in an IPsec policy.

Critically, IKE negotiation is a pre-authentication protocol phase — both parties exchange packets to establish the secure channel before any credentials are verified. This means the vulnerable parsing code runs on every incoming IKE packet, with no prior authentication required to reach it.

Root Cause: Double-Free in IKEv2 Packet Parsing

The vulnerability is a classic CWE-415: Double Free — a memory management error where the same heap allocation is freed twice. In the IKEv2 parser, a specific code path triggered by a malformed packet causes a structure to be released during an error-handling routine, then released again during normal cleanup of the same transaction. This produces heap corruption.

Once the double-free corrupts the heap freelist, an attacker can manipulate subsequent allocation patterns to gain an arbitrary write primitive — the ability to write attacker-controlled data to an attacker-chosen address.

The exploit chain proceeds as follows:

1. Trigger the double-free by sending a crafted IKEv2 packet sequence that exercises the vulnerable error-handling path.
2. Heap grooming — shape the heap state via additional UDP packets to position controlled allocations adjacent to the freed memory.
3. Arbitrary write primitive — the corrupted freelist pointer is followed during a subsequent allocation, enabling an attacker-controlled write.
4. CFG bypass — Control Flow Guard is circumvented by targeting unprotected data structures (vtables or function pointers in unguarded code segments) with the arbitrary write, redirecting execution without triggering the CFG bitmap check.
5. CET bypass — Control-flow Enforcement Technology's shadow stack is bypassed during the specific pivot into the ROP chain.
6. ROP chain — a short gadget chain marks a memory region executable, copies the final shellcode payload, and transfers execution.
7. SYSTEM shell — the IKE service runs as SYSTEM, so the payload executes at the highest privilege level with no further escalation needed.

Why IKE is an Attractive Target

VPN-adjacent services are among the most valuable initial access vectors in enterprise environments. A host running IKE is frequently a perimeter device — a VPN gateway, a firewall management plane, or a remote access server — with direct network connectivity into protected segments. SYSTEM-level code execution on such a host is often equivalent to a direct foothold into the internal network with full lateral movement capability.

BlueHammer: Zero-Day Exploitation

BlueHammer is a financially motivated threat group observed conducting targeted intrusions against financial services, logistics, and critical infrastructure sectors. Their exploitation of CVE-2026-33824 was confirmed through forensic analysis of compromised perimeter devices — specifically Windows Server hosts running DirectAccess or VPN roles. The group used the IKE exploit for initial access, then transitioned to Cobalt Strike and living-off-the-land techniques for lateral movement and data exfiltration.

The window between BlueHammer's initial exploitation and patch availability represented an unpatched exposure period for any organisation with IKEv2 reachable from the internet.

Affected Systems

Any Windows system where the IKE service is reachable and IKEv2 is enabled is potentially affected. This includes:

• Windows Server acting as a VPN or DirectAccess server
• Windows hosts participating in an IPsec policy with UDP 500/4500 reachable from untrusted networks
• Perimeter firewall or gateway devices running Windows

Patched in the April 14, 2026 Cumulative Update for all supported Windows versions.

Remediation

1. Apply the April 2026 Cumulative Update immediately — prioritise any internet-facing Windows hosts with UDP 500 or 4500 open.
2. As a temporary measure, restrict UDP 500/4500 at the network boundary to known peer IP addresses only — block inbound IKE from arbitrary internet sources if your VPN/IPsec topology allows it.
3. Disable IKEv2 where not required. If your VPN infrastructure only requires IKEv1, disabling IKEv2 removes the vulnerable code path entirely.
4. Review perimeter logs for unusual IKE negotiation traffic — specifically high volumes of malformed or partial IKE_SA_INIT exchanges from unexpected source IPs prior to patching.

Detection Guidance

• Windows Event Log: IKE service crashes or restarts (Event ID 7034 in System log) in the period before patching.
• Network logs: high volumes of UDP 500/4500 traffic from single external IP addresses, particularly with short inter-packet timing characteristic of heap grooming.
• Endpoint: unexpected child processes spawned by ikeext.dll or svchost.exe hosting the IKE service.
• Indicators of BlueHammer post-exploitation: Cobalt Strike beacon traffic, WMIC/PowerShell lateral movement, and scheduled task persistence shortly following the exploitation window.

Takeaways

This vulnerability follows a familiar and dangerous pattern: a memory safety flaw in a pre-authentication network service, reachable on a port that perimeter devices must expose to function. Double-free vulnerabilities in C/C++ codebases remain a persistent source of critical network-reachable RCEs — the underlying language risk is well understood, yet the same class of bug continues to appear in mature, widely-deployed products.

For red teams and penetration testers: any engagement involving Windows VPN infrastructure should now include a version check against the April 2026 CU. Unpatched IKE on a perimeter host is a direct SYSTEM shell, and BlueHammer's exploitation confirms real-world tooling exists.

References

• Microsoft Security Response Center — CVE-2026-33824
• GitHub Advisory Database — GHSA-q6qf-3m2m-xq4f
• Security Boulevard — Windows IKE Service Extensions Vulnerability Enables RCE
• The Hacker Wire — Windows IKE Extension Double Free Leads to RCE
• Zero Day Initiative — April 2026 Security Update Review
• CrowdStrike — April 2026 Patch Tuesday Analysis