CVE-2026-33827: a wormable Windows TCP/IP flaw
A critical RCE in the Windows TCP/IP stack, remote and with no user interaction — potentially self-spreading. We explain the risk and the patching priority.
There are critical vulnerabilities, and there are the ones that keep you up at night. CVE-2026-33827 — remote code execution in the Windows TCP/IP network stack — belongs to the second category, because it has the property every defender dreads: worm potential.
Why “wormable” is the worst word
The flaw is remote, unauthenticated and requires no user interaction. That means an attacker can take over a system by sending specially crafted network packets — the victim doesn’t have to click or open anything. Vulnerabilities exploitable this way can spread on their own from machine to machine, like a worm. History knows such cases (EternalBlue and WannaCry among them) — a single host on the network could infect hundreds more in minutes.
For CVE-2026-33827, exploitation depends on a specific configuration (including IPv6 and IPSec enabled), but given the scale of Windows and the nature of the flaw it’s treated as critical, to be patched immediately. In the same cycle Microsoft also fixed, among others, a critical RCE in the Windows IKE service (CVE-2026-33824).
What to do
- Apply the April Patch Tuesday updates — prioritise systems reachable from untrusted networks.
- Reduce the surface where patching has to wait: limit service exposure, consider temporarily disabling unneeded IPv6/IPSec per the vendor’s guidance.
- Segment the network. A wormable flaw is as dangerous as your network is flat — microsegmentation limits spread. It’s the same logic we describe in our pieces on Zero Trust and defending against ransomware.
The takeaway
Wormable flaws are one of the few cases where it’s worth breaking the normal schedule and patching in emergency mode — because the cost of delay grows exponentially once an exploit starts to spread. If you’d like to see how your network would withstand such a scenario, book a test.
Sources and further reading: MSRC, Zero Day Initiative, BleepingComputer.