CVE-2026-33824 Remote Code Execution in Windows IKEv2

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.thezdi.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2
• Blog Title: CVE-2026-33824: Remote Code Execution in Windows IKEv2
• Suggested Section: Network Services Pentesting -> 500/udp - Pentesting IPsec/IKE VPN (add Windows IKEv2/IKEEXT CVE-2026-33824 notes) and/or Binary Exploitation -> Heap (Double Free) with a real-world Windows network-service case study

🎯 Content Summary

Title: CVE-2026-33824: Remote Code Execution in Windows IKEv2

Author / date: TrendAI Research Team (ZDI excerpt), published April 23, 2026. The underlying bug was originally discovered by Microsoft’s WARP & MORSE team.

Vulnerability overview
CVE-2026-33824 is a double-free in the Windows Internet Key Exchange service (IKEv2) within ikeext.dll, reachable during IKEv2 fragmentation reassembly. A remote, unauthenticated at...

🔧 Technical Details

Abusing async work-queue shallow copies to force double-free: If a protocol handler copies a session/SA structure into a per-packet context and then queues it for asynchronous processing, verify whether cleanup routines free embedded pointers. A common bug pattern arises when the queueing layer deep-copies some fields (e.g., reassembly buffers) but shallow-copies others (e.g., pointers owned by the long-lived session). By forcing the queued context to be destroyed (freeing the shallow-copied pointer) and later triggering session teardown (freeing the original owner pointer), an attacker can create a double-free primitive.

Reaching memory-corruption via fragmentation reassembly (RFC 7383): Fragmentation handlers often perform complex list management, reinjection, and context construction even when the final reassembled message fails validation. Sending multiple Encrypted Fragment (SKF, 0x35) payloads that reassemble into an invalid higher-level message can still e...

🤖 Agent Actions

I’m mapping the repo first and locating the existing IPsec/IKE and heap-related pages so the change lands in the right place and only once.
I have the candidate areas. Next I’m reading the relevant existing pages in both the network-service and heap sections to decide which single file fits best and to avoid duplicating techniques already documented.
The file names differ from the suggested section names, so I’m reading the actual IPsec/IKE page and the libc-heap pages next. I also want to see whether the existing docs already mention protocol-fragmentation-driven memory corruption or stateful IKE detection.
The IPsec/IKE page is the stronger fit: it already contains IKEv2 vendor-ID fingerprinting and offensive guidance, while the heap pages are glibc-specific and Linux-centric. I’m checking the rest of the VPN page for the best insertion point and how references are structured at the end.
I’ve finished the placement decision. Now I’m validating the missing pieces against the existing IPsec/IKE content and pulling the supporting public references I want to cite: the ZDI write-up, RFC 7383 fragmentation, and the Microsoft advisory.
I have the delta: the existing page covers aggressive mode, vendor IDs, and a different IKEv2 parser bug, but it does not cover RFC 7383 fragmentation as an attack surface, async shallow-copy ownership bugs, or the practical multi-packet detection pattern. I’m patching the IPsec/IKE page with a compact Windows IKEEXT case study and adding the source references at the end.
The edit is in place. I’m doing a final pass on the modified region and the reference tail now to make sure the markdown is clean and the page still reads like existing HackTricks content.
Updated ipsec-ike-vpn-pentesting.md as the single target file.

I added a concise IKEv2 fragmentation case-study section covering the useful technique abstractions from the blog: RFC 7383 fragmentation as a pre-auth parser surface, async work-queue shallow-copy ownership bugs that become double frees, and stateful detection by correlating IKE_SA_INIT plus fragmented IKE_AUTH across UDP/500 and UDP/4500 with NAT-T offset adjustments. I did not create a new file because the existing IPsec/IKE page was the best fit and the heap pages are glibc-centric rather than protocol-service oriented.

I also appended references for the ZDI blog, RFC 7383, and the Microsoft advisory. Verified the final markdown and diff; only that one file was modified.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.thezdi.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 500/udp - Pentesting IPsec/IKE VPN (add Windows IKEv2/IKEEXT CVE-2026-33824 notes) and/or Binary Exploitation -> Heap (Double Free) with a real-world Windows network-service case study".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0