HIGHCVSS8.1

|CVE-2026-33827|Auth: see msrc advisory|Reboot: required|Manual only

KB5082198: Windows Server 2016 Security Update (April 2026)

A crafted IPv6 packet can give an attacker remote code execution on a Windows Server with IPsec enabled — wormable, requires no credentials.

Published Apr 14, 2026 · Updated May 23, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can deliver IPv6 packets to a Windows host with IPsec enabled can send a crafted sequence that triggers the race condition and executes code in kernel context — no credentials, no user interaction. The "wormable" classification means a successful exploit can spread host-to-host automatically. The high attack complexity (the attacker must win a timing race and pre-stage the environment) tempers the practical risk but does not eliminate it.

How the attack works

The Windows TCP/IP stack processes every IP packet in kernel mode. A race condition (CWE-362) in how it handles crafted IPv6 packets on hosts where IPsec is enabled lets an attacker who wins the race corrupt kernel memory and execute code. IPv6 is enabled by default on every modern Windows host; IPsec is enabled on hosts that participate in any IPsec policy (common on domain-joined servers and VPN endpoints).

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers with IPv6 enabled AND IPsec configured (the common default for domain-joined and VPN hosts)

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A corporate environment uses IPsec between data centres, and every endpoint has IPv6 on by default. An attacker who can deliver IPv6 packets to a perimeter host repeatedly attempts the race; on success they gain kernel-level code execution and seed a worm that targets the next IPsec-enabled host. This is the same family as CVE-2024-38063 (the 2024 IPv6 RCE) — network-stack bugs that nobody can sensibly block at the perimeter.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5082198

Manual remediation steps

Check whether IPsec is in use

The race is only reachable when IPsec is active:

Get-Service PolicyAgent | Select-Object Name, Status, StartType
Get-NetIPsecRule -PolicyStore ActiveStore -ErrorAction SilentlyContinue | Select-Object -First 5

Hosts without IPsec active are not exploitable via this path — but patch regardless.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5082198 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5082198

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5082198
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5082198 /quiet /norestart

Notes

This entry covers Windows Server 2016 specifically (KB5082198). Other Windows Server versions have their own KB for CVE-2026-33827.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827 and NVD https://nvd.nist.gov/vuln/detail/CVE-2026-33827.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2026-33827 ↗ MSRC Advisory ↗ NVD ↗ KBKB5082198