Critical Zero-Day in Windows Kernel Exploited in the Wild — Patch Immediately

Microsoft has released an emergency out-of-band patch addressing a critical zero-day vulnerability (CVE-2026-21784) in the Windows kernel that has been actively exploited by threat actors in targeted attacks against government agencies across Europe and North America.

The vulnerability, which carries a CVSS score of 9.8, resides in the win32kfull.sys driver and allows attackers to achieve local privilege escalation from a standard user account to SYSTEM-level access. Security researchers at Mandiant first identified the exploitation in late February 2026.

"This is one of the most severe Windows kernel vulnerabilities we've seen this year," said James Crawford, senior threat analyst at Mandiant. "The exploit is highly reliable and works across all supported Windows versions including Windows 11 23H2 and Server 2025."

The attack chain begins with a specially crafted document delivered via spear-phishing emails. Once opened, the document triggers a memory corruption bug in the kernel driver, enabling the attacker to bypass all security mitigations including KASLR and CFG.

Microsoft urges all organizations to apply the patch KB5035247 immediately. The company has also updated its Defender signatures to detect known exploitation attempts. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog with a remediation deadline of March 21, 2026.