CVE-2026-33824 — Windows IKEv2 remote code execution

CVE-2026-33824 is a critical double-free in Windows IKE Extension (IKEEXT) that can allow unauthenticated remote code execution via crafted IKEv2 packets. A notable public exploit-analysis write-up was published on 2026-04-23, making this a high-priority hardening target for internet-facing VPN gateways.

Affected versions

Vulnerable: Windows systems with vulnerable April 2026 patch level and IKEv2 reachable.
Fixed: Microsoft security update that remediates CVE-2026-33824.

Indicator-of-exposure

Host runs IKEv2/IPsec services.
UDP ports 500 and/or 4500 are reachable from untrusted networks.
April 2026 security updates not yet applied.

Quick checks:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20
Get-NetFirewallRule -Enabled True | Where-Object { $_.DisplayName -match 'IKE|IPsec' }
netstat -ano | findstr ":500 :4500"

Remediation strategy

Apply Microsoft’s security update addressing CVE-2026-33824.
If patch rollout is staged, temporarily restrict/deny inbound UDP 500/4500 except known VPN peers.
Audit VPN gateways and Always-On VPN endpoints first (highest blast radius).

The prompt

You are remediating CVE-2026-33824 (Windows IKEv2 RCE). Produce exactly one
output:

- A change request/runbook update with patch + exposure reduction actions, or
- TRIAGE.md if patch deployment is blocked.

## Rules

- Scope only CVE-2026-33824.
- Prioritize internet-facing IKEv2 gateways.
- Do not claim remediation unless both patch status and network exposure checks
  are documented.

## Steps

1. Inventory Windows systems with IKEv2 enabled and exposed on UDP 500/4500.
2. Validate patch status for CVE-2026-33824 on each asset group.
3. For unpatched systems, add immediate mitigation:
   - block inbound UDP 500/4500 where IKE is unnecessary, or
   - allow-list known peers only.
4. Produce rollout plan applying the April 2026 security update.
5. Add verification plan:
   - patch evidence (KB/hotfix inventory),
   - firewall/routing evidence for UDP 500/4500 controls.
6. Output title:
   `fix(sec): mitigate and remediate CVE-2026-33824 (Windows IKEv2)`.

## Stop conditions

- Target fleet has no IKEv2 exposure.
- Patch identification data is unavailable for this environment.
- Required firewall changes cannot be validated safely.

Verification — what the reviewer looks for

Patch evidence exists for scoped systems.
UDP 500/4500 exposure is explicitly reduced or justified.
Remaining risk (if any) has owner + deadline.

References

ZDI technical analysis (2026-04-23): https://www.zerodayinitiative.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2
Microsoft advisory record: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824