Microsoft’s May 2026 Patch Tuesday shipped a fix for CVE-2026-34341, an Important-rated elevation-of-privilege vulnerability in the Windows Link-Layer Discovery Protocol. A low-privileged local attacker who exploited this double-free flaw could escalate to SYSTEM, gaining complete control over an unpatched machine.

The bug lives in the LLDP service, a background protocol that Windows uses to discover network neighbours and advertise device identity on the LAN. What makes CVE-2026-34341 especially dangerous is its trigger path: an attacker doesn’t need prior code execution on a target—only the ability to send crafted LLDP frames to a listening interface, or to run a low-integrity process that interacts with the flawed kernel component. Successful exploitation grants the attacker the highest level of system privilege, putting domain-joined workstations and servers at risk of lateral movement and full network compromise.

How the Double-Free Works

A double-free memory error occurs when software releases the same block of allocated memory twice. In kernel mode, that means an attacker can trick the memory manager into reusing a freed chunk while stale pointers still reference it. The result is memory corruption that reliable exploits can turn into arbitrary code execution. In CVE-2026-34341, the flaw lives inside the parsing of LLDP Data Units (LLDPDU) by the Windows network stack.

Windows implements LLDP through the Mslldp.sys driver and a user-mode service (LldpService). The kernel driver handles transmit and receive paths for LLDP frames on supported NICs. When a crafted LLDPDU containing malformed organizationally-specific TLVs reaches the driver, a specific code path inside the parsing routine frees a buffer and then, due to an incorrect state variable, frees the same buffer again. An attacker who controls the timing—say by saturating the LLDP exchange with repeated malformed frames—can force the allocator to hand that memory to a different object, overwriting critical kernel structures.

The Common Weakness Enumeration (CWE) for the bug is CWE-415: Double Free. Microsoft’s security response team assessed the attack complexity as low because the LLDP protocol is stateless and the vulnerable function is reachable via standard network traffic or a low-privilege local process calling a Win32 TDI interface.

Affected Systems and Severity

According to the MSRC advisory, the following Windows editions require the May 2026 security update:

  • Windows 11 version 24H2
  • Windows 11 version 23H2
  • Windows 10 version 22H2
  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019

All architectures (x64, ARM64) are vulnerable. The CVSS 3.1 base score is 7.8 (High), with vector string AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That breakdown says local attack vector, low complexity, low privileges required, no user interaction, and an unchanged scope resulting in complete confidentiality, integrity, and availability compromise. In practice, a single compromised user account—even one with no admin rights—becomes a bridge to SYSTEM.

Exploitation Realities

Microsoft credits an unnamed researcher for privately reporting the bug, and says it has seen no evidence of active exploitation in the wild. However, the company has not published proof‑of‑concept code, and the advisory carries the “Exploitation More Likely” label because of how easily the vulnerability can be weaponized. Kernel double-frees are notoriously reliable for developing EoP exploits, and the LLDP service listens by default on most Windows editions where the feature is installed and enabled.

On typical client SKUs, LLDP is present but often turned off. The service status can be checked with Get-Service LldpService. Yet many enterprise Group Policies explicitly enable LLDP for Windows devices connected to managed switches that use LLDP for VoIP, VLAN tagging, or network inventory. On Windows Server, LLDP is frequently left on by default in Hyper‑V virtual switches and software‑defined networking configurations. That makes server installations a particularly attractive target.

An attacker who already has a foothold on a network—perhaps through a phishing compromise or a cracked RDP session—can run a low-privilege executable that either sends malicious LLDP frames from the victim’s NIC or invokes the vulnerable driver interface directly. Gaining SYSTEM means the attacker can bypass every Windows Defender and credential guard protection, dump LSASS memory, install rootkits, and move laterally using pass‑the‑hash or pass‑the‑ticket techniques.

Workarounds and Mitigations

Until the May 2026 cumulative update is applied, Microsoft suggests two short-term defenses:

  1. Disable the LLDP service when not needed. On a single machine, stop the service with Stop-Service LldpService -Force and set its startup type to Disabled with Set-Service LldpService -StartupType Disabled. Enterprise admins can deploy the same change via Group Policy Preferences.
  2. Restrict which MAC addresses can send LLDP frames to the interface. While not a perfect barrier, port-based ACLs on the upstream switch can reduce the attack surface if LLDP is required for operational reasons.

Neither workaround fully prevents a determined local attacker who can pwn a kernel interface, but they raise the bar from low-privilege local to requiring physical access or administrative rights to re-enable the service.

The May 2026 Patch

The patch addresses the root cause: when the LLDP parser processes malformed organizationally-specific TLVs, the freed buffer pointer is now correctly nullified before the subsequent logic performs its own teardown. The change eliminates the double-free condition. Additionally, Microsoft hardened the driver’s input validation to reject LLDPDUs that exceed the maximum TLV length specified in IEEE 802.1AB‑2016, preventing several related memory corruption avenues.

The update arrives via the standard cumulative update channel. The exact KB numbers depend on the OS version:

  • Windows 11 24H2: KB5081245
  • Windows 11 23H2: KB5081244
  • Windows 10 22H2: KB5081243
  • Windows Server 2025: KB5081246
  • Windows Server 2022: KB5081242

Admins should install the latest Servicing Stack Update (SSU) alongside the cumulative update to ensure the LLDP driver binary (mslldp.sys) is properly replaced. After rebooting, the patched version of mslldp.sys is 10.0.26100.4725 (or later) for 24H2 and 10.0.22621.5812 for 23H2.

Community Reaction

Early reports on Windows administration forums confirm that patching is straightforward, and no significant compatibility issues have arisen. “We rolled out the May CU to 2,400 machines overnight,” one sysadmin posted on Reddit’s r/sysadmin. “The LLDP-based IP phones kept working, and we saw zero helpdesk calls. Good patch cycle.”

However, some users noted that the LLDP service remained disabled after the update if it had been manually configured that way, which is expected behaviour. Another thread on the Microsoft Tech Community drew attention to a temporary hiccup: Network Policy Server logging briefly quadrupled after the patch applied because the service restarted and re-initialized its RADIUS state. The spike flattened within minutes.

Security researchers quickly dissected the fix. A reverse engineer going by the handle @kernelmonkey on Twitter wrote, “The double-free was in LldpProcessTlvSubtype. They added a bzero of the pbPtr after the first ExFreePool, then a NULL check before the second. Classic patch.” The researcher also noted that the vulnerable function had existed in a similar form since Windows 10 1607, highlighting how long-dormant bugs can linger in network protocol parsers.

Lessons for Defenders

CVE-2026-34341 is a reminder that even obscurely named protocols can hide high-impact vulnerabilities. LLDP is rarely on the radar of blue teams, yet it runs at a privilege level that can unlock the entire OS. Defenders should audit their Windows environment for non-default services enabled via Group Policy. The following PowerShell one-liner will report which machines in the domain have LLDP running:

Get-WmiObject -ComputerName (Get-ADComputer -Filter *).Name -Class Win32_Service -Filter "Name='LldpService'" | Select-Object PSComputerName, State, StartMode

For organisations where disabling LLDP is not an option, Microsoft’s EdgeSec deployment ring data shows that over 88% of user devices received the patch within 48 hours of release. That is promising, but the remaining 12% represent a lingering risk. IT departments should use update management tools like Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business to accelerate deployment, and then verify that the service binary version matches the patched build.

If your network hardware relies on LLDP for dynamic VLAN assignment, test the update in a staging environment first. The protocol’s core behaviour is unchanged, but the stricter TLV parsing could surface interoperability problems with older switches that send non-compliant frames. So far, no vendor has reported such an issue, but a quick lab test before broad rollout is prudent.

Looking Ahead

The May 2026 Patch Tuesday addressed a total of 73 CVEs, with CVE-2026-34341 being the only elevation-of-privilege bug rated Important in the LLDP stack. Microsoft also resolved a critical remote code execution flaw in the Windows DNS Server (CVE-2026-34350) and several spoofing vulnerabilities in the Microsoft Edge browser. As always, patch prioritisation starts with bugs that carry a known attack vector and low complexity. This LLDP double-free checks both boxes.

While no in-the-wild exploitation has been reported yet, the public disclosure of technical details after Patch Tuesday often triggers a race between defenders and threat actors to weaponise the bug. Organisations that defer patching for more than a week are playing a dangerous game. The fix is simple, the impact is severe, and the window of opportunity for attackers is closing by the hour.