Heap-based buffer overflow in the Windows Message Queuing (MSMQ) service enables an unauthorized attacker to execute arbitrary code on the host from an adjacent network. The vulnerability exploits memory corruption within the queue message handling routine, allowing the attacker to take control of the process and potentially elevate privileges or pivot within the network. The weakness is classified as CWE-122, which indicates that improper bounds checking leads to a buffer overrun.

Microsoft Windows operating systems including Windows 10 build 1607, 1809, 21H2, and 22H2; Windows 11 builds 23H2, 24H2, 25H2, 22H3, and 26H1; and Windows Server releases 2012, 2012 R2, 2016, 2019, 2022, 2025, and the 23H2 edition. All standard and Server Core installations of these versions are impacted, as the vulnerability resides in the MSMQ service component.

The CVSS score of 8.8 categorizes the flaw as High severity. Exploitation probability is currently not quantified (EPSS score not available) and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the MSMQ service over the network, suggesting a remote network attack vector. If exploited, the attacker could execute code with the permissions of the MSMQ process, potentially compromising the entire machine or gaining lateral movement within the local domain.