CVE-2026-40382 Overview
CVE-2026-40382 is a use-after-free vulnerability [CWE-416] in the Windows Telephony Service that allows an authorized local attacker to elevate privileges. The flaw affects a broad range of Microsoft Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Windows Server 2025. Successful exploitation enables an authenticated user to execute code in a higher-privileged context on the local host. Microsoft published the advisory on May 12, 2026, and no public exploit code or in-the-wild activity has been confirmed at the time of writing.
Critical Impact
An authenticated local attacker can exploit a freed memory object in the Telephony Service to gain elevated privileges with high impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-40382 published to NVD by Microsoft
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-40382
Vulnerability Analysis
The vulnerability resides in the Windows Telephony Service, the component that brokers Telephony Application Programming Interface (TAPI) calls between user-mode clients and the underlying service. A use-after-free condition occurs when the service references a heap object after it has been deallocated. An authorized local user can trigger the freed-object path through crafted TAPI requests and then reclaim the memory with attacker-controlled data.
When the service dereferences the dangling pointer, it operates on the attacker-supplied content. This produces controlled memory corruption inside the service process, which runs at a higher privilege level than the calling user. The result is local privilege escalation with high confidentiality, integrity, and availability impact.
Root Cause
The defect is classified under [CWE-416] Use After Free. The Telephony Service does not properly invalidate or synchronize a pointer to a heap object after the object is released. Concurrent or sequential operations on the same handle allow the freed object to be referenced, enabling memory reuse before the dangling reference is consumed.
Attack Vector
Exploitation requires local access and valid credentials on the target host. No user interaction is needed. An attacker with a standard user account can invoke the vulnerable Telephony Service interface, win the race to reclaim the freed allocation, and steer execution within the service. Successful exploitation yields code execution at the service privilege level, which is typically SYSTEM.
No verified proof-of-concept code is published. See the Microsoft CVE-2026-40382 Advisory for vendor technical details.
Detection Methods for CVE-2026-40382
Indicators of Compromise
- Unexpected crashes, restarts, or Windows Error Reporting events from the TapiSrv service or the hosting svchost.exe instance running the Telephony Service group.
- New child processes spawned from the Telephony Service svchost.exe running as NT AUTHORITY\SYSTEM following activity by a non-administrative user.
- Standard user accounts loading or interacting with tapi32.dll or tapisrv.dll in unusual sequences shortly before privilege changes on the host.
Detection Strategies
- Hunt for process lineage where a non-privileged user session is followed by a SYSTEM-level process spawned from the Telephony Service host.
- Correlate Service Control Manager events (Event IDs 7031, 7034) for the Telephony Service with local logon activity from standard users.
- Monitor for handle and memory anomalies in tapisrv.dll using endpoint behavioral telemetry that captures use-after-free exploitation patterns such as heap spraying or rapid allocation/free cycles.
Monitoring Recommendations
- Enable and forward Windows Security, System, and Sysmon process-creation logs to a centralized analytics platform for cross-host correlation.
- Alert on token elevation or SeDebugPrivilege acquisition by accounts that previously held only standard user rights.
- Track invocations of the Telephony Service Remote Procedure Call (RPC) interface by accounts that do not normally use telephony features.
How to Mitigate CVE-2026-40382
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-40382 Advisory to all affected Windows client and server systems.
- Prioritize patching of multi-user systems, jump hosts, Remote Desktop Session Hosts, and Virtual Desktop Infrastructure where local users routinely operate.
- Audit local account privileges and remove unnecessary interactive logon rights to reduce the pool of users able to invoke the vulnerable interface.
Patch Information
Microsoft has issued cumulative updates covering all supported branches listed in the affected products. Refer to the Microsoft CVE-2026-40382 Advisory for the specific Knowledge Base article and build numbers that apply to each Windows version. Out-of-support releases require Extended Security Updates (ESU) to receive the fix.
Workarounds
- Where the Telephony Service is not required, set the TapiSrv service to Disabled using Group Policy or sc.exe config tapisrv start= disabled and stop the running service.
- Restrict local logon and Remote Desktop access to administrators only on servers that do not require interactive user sessions.
- Apply application control policies to block unsigned or unexpected binaries from being executed by standard user accounts pending patch deployment.
# Configuration example: disable Telephony Service on hosts that do not require it
sc.exe stop tapisrv
sc.exe config tapisrv start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
