Microsoft Patches Critical Double-Free Vulnerability in Windows Message Queueing Driver
Microsoft has released a security update for CVE- for CVE-2026-33838, a double-free vulnerability in the Windows Message Queueing (mqac.sys) driver that allows local attackers to escalate privileges to kernel code execution.
Microsoft has released a security update to address CVE-2026-33838, a high-severity double-free vulnerability in the Windows Message Queueing (MSMQ) component that could allow local attackers to escalate privileges to escalate to kernel-level code execution. The flaw, reported through the Zero Day Initiative (ZDI) program, affects the mqac.sys driver and carries a CVSS score of 7.8.
The vulnerability resides in the mqac.sys driver, which handles driver object operations. According to the ZDI advisory, the issue stems from the driver's failure to validate the existence of an object before performing further free operations on it. This double-free condition leads to a double-free scenario, where memory is freed twice, corrupting kernel memory and enabling an attacker to execute arbitrary code with SYSTEM privileges.
Exploitation requires an attacker to first obtain the ability to execute low-privileged code on the target system. Once achieved, the attacker can trigger the double-free condition to gain full control over the kernel. The vulnerability does not require user interaction or network access, making it a significant threat in post-compromise scenarios where an attacker has already established a foothold.
Microsoft has issued a security update as part of its May 2026 Patch Tuesday release. The update is available through the Microsoft Update Guide Microsoft Update and can be accessed via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33838. Users are strongly advised to apply the patch immediately to mitigate the risk of local privilege escalation attacks.
The vulnerability was reported to Microsoft on January 8, 2026, and was disclosed publicly on May 12, 2026, following the coordinated release of the advisory. The researcher who discovered the flaw chose to remain anonymous. No evidence of active exploitation in the wild has been reported at this time.
This vulnerability highlights the ongoing challenge of memory safety in kernel-mode drivers, particularly in legacy components like MSMQ that have been part of Windows for decades. Double-free bugs remain a common class of privilege escalation vulnerabilities, and Microsoft continues to invest in mitigations such as the use of safer memory allocation functions and driver verification tools. However, as this case demonstrates, manual code review and fuzzing remain essential to uncover such critical for uncovering critical flaws in complex driver codebases.