In this excerpt of a TrendAI Research Services vulnerability report, Richard Chen and Lucas Miller of the TrendAI Research team detail a recently patched double free vulnerability in the Windows Internet Key Exchange (IKE) service. This bug was originally discovered by WARP & MORSE team at Microsoft. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution. The following is a portion of their write-up covering CVE-2026-33824, with a few minimal modifications.

---

A double free vulnerability has been reported in the Windows Internet Key Exchange (IKEv2) service. The vulnerability is due to an error when processing fragments.

An unauthenticated, remote attacker could exploit this vulnerability by sending crafted packets to the target server. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution.

The Vulnerability

Microsoft Windows is an operating system which includes both server and desktop components along with an easy-to-use GUI. All currently supported versions of Windows include Internet Key Exchange Protocol Extensions to support the Virtual Private Network (VPN) feature.

The VPN feature of Windows encrypts communication between hosts. ISAKMP is a negotiation protocol used by IPsec-enabled hosts to build a security association. It uses the Internet Key Exchange (IKE) Protocol in order to negotiate keys for encrypted communication. IKE has two versions: IKEv1 and IKEv2. IKE version 1 (IKEv1) and version 2 (IKEv2) messages have the following general format:

The type of payload is determined by the Next Payload header of the previous payload, or the Next Payload field in the header (in the case of the first payload).

IKEv2 supports message fragmentation as defined in RFC 7383. When IKEv2 messages exceed the path MTU, they may be split into multiple Encrypted Fragment payloads. Of interest to this report is the Encrypted Fragment (SKF) payload (type 0x35). The SKF payload format is defined as:

When an IKEv2 implementation receives fragments, it inserts each fragment into an ordered list and reassembles them once all fragments have been received. In the Windows implementation, the function IkeReinjectReassembledPacket() performs this reassembly.

A double-free vulnerability has been reported in the Windows IKE Extension library (ikeext.dll). The vulnerability is due to improper ownership handling of a heap-allocated blob pointer during IKEv2 fragment reassembly. During the IKE_SA_INIT exchange, a Security Realm Vendor ID payload causes IkeHandleSecurityRealmVendorId() to allocate a blob and store it in the MMSA (Main Mode Security Association) structure at offset 0x208. When a fragmented IKE_AUTH message is fully reassembled, IkeReinjectReassembledPacket copies MMSA fields at offsets 0x178 through 0x21F - including the blob pointer at 0x208 - into a local stack struct. This struct is then passed to IkeQueueRecvRequest, which shallow-copies it into a heap-allocated work item. While IkeQueueRecvRequest deep-copies the reassembly buffer at offset 0x10 in the struct, the Security Realm blob pointer at offset 0xC8 remains a shallow copy, aliasing the original at MMSA+0x208.

When the thread pool processes the queued work item, IkeDestroyPacketContext checks the blob pointer at offset 0xC8 and calls WfpMemFree to release it (first free). The MMSA structure still holds the original pointer to the same allocation at offset 0x208. When the MMSA is subsequently cleaned up through IkeCleanupMMNegotiation, the SA reference count is decremented via IkeDerefMMSA, eventually triggering IkeFreeMMSA, which frees the blob pointer at MMSA offset 0x208 - the same allocation already freed by IkeDestroyPacketContext (second free).

A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted IKE_SA_INIT message followed by two or more Encrypted Fragment (SKF) payloads containing an invalid IKE_AUTH message to the target server. The fragment reassembly path will shallow-copy the blob pointers, and the subsequent MMSA cleanup will trigger the double free. Successful exploitation could result in arbitrary code execution under the security context of the IKEEXT service (SYSTEM).

Source Code Walkthrough

The following code snippets were taken from IKEEXT.DLL file version 10.0.20348.2849 and decompiled with IDA Pro version 8.3. Comments added by TrendAI have been highlighted.

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on UDP ports 500 and 4500. The IKE general format, Payloads field, and the Encrypted Fragment (SKF) payload format can be seen above.

The detection device should monitor all incoming IKE traffic. Detection requires correlating two packets within the same IKE session: an IKE_SA_INIT request carrying the Microsoft Security Realm Vendor ID, followed by a fragmented IKE_AUTH request. Neither packet alone is malicious; both must be observed in sequence from the same source.

IKE_SA_INIT

At byte offset 17 of the UDP payload, the device should check for the three-byte sequence 20 22 08, which corresponds to the IKEv2 version identifier (0x20), the IKE_SA_INIT exchange type (0x22), and the Initiator flag (0x08). The device should then scan the remainder of the packet for the 16-byte sequence 68 6a 8c bd fe 63 4b 40 51 46 fb 2b af 33 e9 e8, which is the Microsoft Security Realm Vendor ID. If both conditions are met, the device should follow the guidance below.

IKE_AUTH

For subsequent packets from the same source, the device should check bytes at offset 16 through 23 of the UDP payload. At offset 16, the four-byte sequence 35 20 23 08 identifies an Encrypted Fragment payload (SKF, type 0x35), IKEv2 version (0x20), IKE_AUTH exchange type (0x23), and Initiator flag (0x08). If found, the detection device should inspect offset 20 and search for the four-byte sequence00 00 00 01. If found the traffic should be considered malicious; an attack exploiting this vulnerability is likely underway.

Notes
• All multi-byte values should be treated as big endian.
• When detecting traffic on port 4500, IKE packets are prepended by a 4-byte non-ESP marker (\x00\x00\x00\x00), shifting all IKE header content offsets by 4.

Conclusion

This vulnerability was patched by Microsoft in the April 2026 release cycle. They do note two mitigations that could prevent exploitation while the patch is being tested and deployed. 

·      Block inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE.

·      For systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses.

These mitigations may be removed once the security patch is applied. The only way to fully remediate the vulnerability is to apply the update from the vendor.

Special thanks to Richard Chen and Lucas Miller of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services please visit https://go.trendmicro.com/tis/vulnerabilities.html.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

In this excerpt of a TrendAI Research Services vulnerability report, Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team detail a recently patched command injection vulnerability in the Windows Notepad application. This bug was originally discovered by Cristian Papa and Alasdair Gorniak of Delta Obscura. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account. The following is a portion of their write-up covering CVE-2026-20841, with a few minimal modifications.

---

A remote code execution vulnerability has been reported in Microsoft Windows Notepad. The vulnerability is due to improper validation of links in Markdown files.

A remote attacker could exploit this vulnerability by enticing the victim to download and interact with a malicious file. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account.

The Vulnerability

Microsoft Windows comes with a default text-editing application called Windows Notepad. Historically, this application offered only minimal editing features. However, modern versions of Windows include an improved and extended Notepad by default. This new version supports multiple file formats, Markdown rendering, and Copilot-enhanced features.

Markdown is a lightweight markup language that allows users to create formatted text using a simple syntax. It is widely used for writing documents, blog posts, and README files. It supports a wide range of formatting options, including (but not limited to) headers, styled text, numbered and bulleted lists, and links. Markdown supports two main link formats: standard and inline. The standard link format is:

          [link-name](link/path)

When rendered, only the link text ("link-name") is shown to the user.

The inline links use the following format:

          <link/path>

When rendered, they are transformed into the equivalent standard link:

          [link/path](link/path)

A remote code execution vulnerability has been reported in Microsoft Windows Notepad. The vulnerability is due to improper validation of links when handling Markdown files.

When Notepad opens a file, if the application detects that the file requires special rendering (in this case, Markdown), the input file is tokenized. Tokenization in this context means splitting the raw file text into a sequence of small, recognizable pieces ("tokens") that the renderer can process one by one. Detection is performed based on the file extension. Only the ".md" extension was found to trigger Markdown rendering, as the application uses a fixed string comparison to determine whether Markdown should be rendered by calling sub_1400ED5D0(). Markdown files are rendered token by token.

Function sub_140170F60() handles clicking on links in Markdown files. It filters the link value, and passes it to ShellExecuteExW() call.

The filtering performed on the link is found to be insufficient, as it allows using malicious crafted protocol URIs, such as "file://" and "ms-appinstaller://", to execute arbitrary files in the security context of victim. ShellExecuteExW() uses the configured protocol handlers and may expose additional exploitable protocols depending on the system configuration.

A remote attacker could exploit this vulnerability by enticing the victim to download a malicious crafted Markdown file, open it, and click on a malicious link. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account.

Notes
• Files using the ".md" file extension are not registered to be opened by Notepad by default. However, when opened manually in Notepad, they are rendered as Markdown, which allows the vulnerability to be triggered.
• Any "\\" sequences are converted to "\" in the attacker-controlled link path prior to passing it to the ShellExecuteExW() call.

Source Code Walkthrough

The following code snippet was taken from Notepad.exe version 11.2508. Comments added by TrendAI researchers have been highlighted.

In sub_140170F60():

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the following application protocols that can be used to deliver an attack to exploit this vulnerability:
• FTP, over ports 21/TCP, 20/TCP
• HTTP, over port 80/TCP
• HTTPS, over port 443/TCP
• IMAP, over port 143/TCP
• NFS, over ports 2049/TCP, 2049/UDP, 111/TCP, 111/UDP
• POP3, over port 110/TCP
• SMTP, over ports 25/TCP, 587/TCP
• SMB/CIFS, over ports 139/TCP, 445/TCP

The detection device must inspect traffic transferring a Markdown file with the file extension ".md". If such a file transfer is found, the detection device must search the file content for links.

The detection device must check whether the link paths contain the strings "file:" or "ms-appinstaller:".

If "file:" was found, the detection device must search the Markdown file contents using the following case-insensitive regular expression:

(\x3C|\[[^\x5d]+\]\()file:(\x2f|\x5c\x5c){4}

If "ms-appinstaller:" was found, the detection device must search the Markdown file contents using the following case-insensitive regular expression:

(\x3C|\[[^\x5d]+\]\()ms-appinstaller:(\x2f|\x5c\x5c){2}

If any of the regular expressions matches, the link contains a path to a remote resource. The traffic must be considered malicious; an attack exploiting this vulnerability is likely underway. This guidance should also detect the public PoC that was recently posted on GitHub.

Notes

•  The string matches are case-insensitive.
•  The detection guidance is based on the vendor-provided patch. However, the patch restricts the links to local-only files and HTTP(S) URIs, which may result in a huge number of false positives. Because of that, the detection guidance focuses on formats that may access and execute remote files. Due to that, it may result in false negatives.
•  The vulnerable function uses the configured protocol handlers and may expose additional exploitable protocols depending on the system configuration.

Conclusion

This vulnerability was patched by Microsoft in the February 2026 release cycle. They note no workarounds but do list user interaction as a prerequisite to exploitation. To fully remediate the vulnerability, the proper action is to test and deploy the provided vendor patch.

Special thanks to Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services please visit https://go.trendmicro.com/tis/vulnerabilities.html.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

In this excerpt of a TrendAI Research Services vulnerability report, Jonathan Lein and Simon Humbert of the TrendAI Research team detail a recently patched command injection vulnerability in the Arista NG Firewall. This bug was originally discovered by Gereon Huppertz and reported through the TrendAI Zero Day Initiative (ZDI) program. Successful exploitation could result in arbitrary command execution under the security context of the root user. The following is a portion of their write-up covering CVE-2025-6798, with a few minimal modifications.

---

A command injection vulnerability has been reported in Arista NG Firewall. The vulnerability is due to improper validation of user data in the diagnostics component.

A remote, authenticated attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary command execution under the security context of the root user.

The Vulnerability

Arista NG Firewall is an open-source firewall appliance. It was originally developed under the name Untangle. Some features of Arista Firewall include spam blocking, bandwidth control, and IPS, etc. NG Firewall can be managed through a web user interface, or a JSON-RPC API using HTTP.

HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body

where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like:

A corresponding HTTP request using the POST method might look like:

If there is more than one parameter/value pair, they are encoded as '&'-delimited name=value pairs:

          var1=value1&var2=value2&var3=value3...

The component relevant to this report is the JSON-RPC endpoint. A JSON object has the following syntax:

•            An object is enclosed in curly braces {}.
•            An object consists of zero or more items delimited by a comma (",") character.
•            An item consists of a key and a value. A key is delimited from its value by a colon (":") character.
•            A key must be a string (enclosed in quotes).
•            A value must be a valid type. Valid types include string, number, JSON object, array, Boolean, or null.
•            An array is an object enclosed in square braces []. An array consists of zero or more string, number, JSON object, array, Boolean or null type-objects delimited by a comma (",") character.

An example JSON object is as follows:

The following is an example of a JSON-RPC request to the runTroubleshooting() method that is relevant to this report:

A command injection vulnerability has been reported in Arista NG Firewall. The vulnerability is due to improper validation of user data that is used in a command line. The runTroubleshooting() method of the class NetworkManagerImpl will be used to handle JSON-RPC requests to the runTroubleshooting method. The command parameter passed to the method will be the first element in the params JSON array in the body of the request. This value must be one of the strings in the TroubleshootingCommands enum defined in the NetworkManager class. The second parameter of the method will contain additional arguments passed to the JSON-RPC call.

The method will first iterate through each of the additional arguments and combine each key value pair into a single string, separated by a "=" character that will later be used as an environment variable. Next, a switch case statement is used to ensure the provided command is one of the values in TroubleshootingCommands. Each command value will be processed using the same code.

The method will next iterate through each environment variable, and inspect it for the following common command injection strings:

          ; & | > $(

If any are found, the request will be rejected, and an exception is thrown. If each environment variable is valid, the method execEvil() is called to create and execute a command line for the network-troubleshooting.sh script, with the environment variables passed as a parameter. The execEvil() method in turn will call Runtime.getRuntime().exec() to run the script, with the second parameter passing the environment variables that will be used by the script. Each command value will have a function in network-troubleshooting.sh, such as run_dns() for the “DNS” command value. Each function will follow a similar structure, by creating a CMD string using the environment variables passed by exec() and then calling eval to execute it.

However, the values of the parameters passed to the runTroubleshooting JSON-RPC method are not completely sanitized before it is used in the command line. While the parameters passed to the endpoint are inspected for some shell metacharacters, the list is incomplete. For example, the backtick character (`) is not included in the check and may be used to inject a command.

For example:

The example above will write and execute a python script on the server to achieve code execution without using any restricted characters.

A remote, authenticated attacker could exploit this vulnerability by sending a JSON-RPC request to the runTroubleshooting method containing a crafted “HOST” or “URL” parameter containing shell metacharacters not present in the runTroubleshooting() check. Successful exploitation in the worst case will result in arbitrary command execution under the security context of the root user.

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the following ports:
          - HTTP, over port 80/TCP
          - HTTPS, over port 443/TCP

Traffic to Arista NG Firewall may be encrypted and must be decrypted prior to applying this guidance.

The detection device must search for HTTP POST requests made to the request-URI /admin/JSON-RPC. If found, the body of the request must be parsed as JSON. The JSON object in the body must be inspected for a method key, and its value must be inspected to contain the substring runTroubleshooting. If found, the object must also be inspected for the JSON key "params", with a value containing a JSON array. The first entry in the JSON array must be inspected for any of the following strings:

If found, the second entry in the array must be inspected for a JSON object, and inspected for any of the following keys:

If either is found, the corresponding value to the key must be inspected for any of the following command injection characters:

If found, the traffic should be treated as suspicious; an attack exploiting this vulnerability is likely underway.

The following regular expression can be applied to find malicious requests:

          /\x22(HOST|URL)\x22\s*:\s*\x22(?:[^\x22\\]|\\.)*?[\x60\x27\x24\x3c]/

Notes:

• String matching on the request-URI and all JSON strings should be done in a case sensitive manner.
• The JSON strings may be encoded and must be decoded prior to applying this guidance.
• The request-URI may be URL-encoded and must be decoded before applying this guidance.

Conclusion

This vulnerability has been addressed by Arista with their Security Advisory 0123. They note that the Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle) is affected by this bug, but other product versions are not. They also state the following mitigation can be applied:

Do not allow non-authorized administrative access or access to the administrative browser.

However, the more appropriate action is to apply the provided vendor security patch by upgrading to version 17.4 or higher.

Special thanks to Jonathan Lein and Simon Humbert of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services, please visit https://go.trendmicro.com/tis/vulnerabilities.html.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.