CVE- 2026-33824 describes a remote code execution flaw in the Windows Internet Key Exchange (IKE) service (IKEv2) that centres on a double free vulnerability during IKEv2 fragment reassembly. An unauthenticated, remote attacker could exploit the issue by sending crafted IKE_SA_INIT messages and a sequence of Encrypted Fragment (SKF) payloads containing an invalid IKE_AUTH message, potentially leading to arbitrary code execution under the SYSTEM context if the IKEEXT service is compromised.
The vulnerability stems from improper ownership handling of a heap-allocated blob pointer during fragmentation reassembly, with the same allocation being freed twice as MMSA cleanup occurs after the initial free. The report notes that detection should monitor UDP ports 500 and 4500 for two related packets in the same IKE session, and outlines specific byte-sequence checks to identify exploitation attempts.
The vulnerability was patched by Microsoft in the April 2026 release cycle, with mitigations suggested for networks that cannot immediately apply the patch, according to Microsoft.