CVE-2026-40405 Overview
CVE-2026-40405 is a null pointer dereference vulnerability [CWE-476] in the Microsoft Windows TCP/IP networking stack. An unauthenticated remote attacker can send crafted network traffic to a vulnerable host and trigger a denial of service condition. The flaw affects current Windows 11 feature updates and Windows Server 2025. Exploitation requires no privileges and no user interaction, and the attack vector is the network. The vulnerability impacts availability only, leaving confidentiality and integrity untouched. Microsoft published an advisory through the Microsoft Security Response Center update guide.
Critical Impact
A remote, unauthenticated attacker can crash or hang the Windows TCP/IP stack, taking affected endpoints and servers offline until the system is restarted.
Affected Products
- Microsoft Windows 11 24H2 (arm64, x64)
- Microsoft Windows 11 25H2 (arm64, x64)
- Microsoft Windows 11 26H1 (arm64, x64) and Windows Server 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-40405 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-40405
Vulnerability Analysis
The vulnerability resides in the Windows TCP/IP driver responsible for processing inbound network packets. A code path dereferences a pointer that can be NULL under specific protocol states, producing a kernel-mode access violation. When the access violation occurs in tcpip.sys, the operating system bugchecks and the host becomes unavailable. Because the affected component handles packets before authentication, exposure extends to any interface reachable by the attacker. The flaw belongs to the denial of service class and does not enable code execution, privilege escalation, or data disclosure. The EPSS probability is 0.156% at the time of publication, reflecting a low observed exploitation likelihood despite straightforward network reachability.
Root Cause
The defect is a missing null check before dereferencing a pointer to a protocol state structure inside the kernel TCP/IP stack. When a malformed or unexpected packet sequence arrives, the structure is not initialized along the dereferenced path. Windows kernel-mode null dereferences raise a KERNEL_MODE_EXCEPTION_NOT_HANDLED or IRQL_NOT_LESS_OR_EQUAL bugcheck, halting the host.
Attack Vector
The attacker sends crafted IP packets to any open or listening network interface on the target. No authentication, no user interaction, and no prior foothold are required. The condition can be triggered remotely across routed networks where the host is reachable, including externally exposed cloud workloads running Windows Server 2025. See the Microsoft Security Update Guide for CVE-2026-40405 for protocol-level details.
No public proof-of-concept exploit code is available. A technical description in prose is provided in lieu of synthetic exploit examples.
Detection Methods for CVE-2026-40405
Indicators of Compromise
- Unexpected Windows bugchecks referencing tcpip.sys in memory dumps or Minidump files under C:\Windows\Minidump.
- Event ID 1001 (BugCheck) and Event ID 41 (Kernel-Power) clusters in the System event log following inbound network activity.
- Sudden loss of network responsiveness from internet-exposed Windows Server 2025 hosts followed by automatic reboot.
Detection Strategies
- Correlate kernel crash telemetry with preceding inbound traffic spikes or anomalous packet patterns at the perimeter.
- Hunt for repeated host reboots across Windows 11 24H2, 25H2, 26H1, and Windows Server 2025 fleets within short time windows.
- Inspect IDS/IPS logs for malformed TCP, IPv6 extension header, or fragmented packet alerts targeting affected hosts.
Monitoring Recommendations
- Forward Windows System and Application event logs to a central SIEM and alert on bugcheck events.
- Monitor uptime metrics for unplanned restarts on critical Windows Server 2025 systems.
- Track patch deployment status against the affected windows_11_24h2, windows_11_25h2, windows_11_26h1, and windows_server_2025 CPEs.
How to Mitigate CVE-2026-40405
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-40405 to all affected Windows 11 and Windows Server 2025 systems.
- Prioritize internet-facing hosts and domain-joined servers, where reachability and impact are highest.
- Validate that endpoint patch compliance reporting includes the affected CPE entries for Windows 11 24H2, 25H2, 26H1, and Windows Server 2025.
Patch Information
Microsoft addresses CVE-2026-40405 through its monthly security update channel. Refer to the Microsoft Security Update Guide entry for CVE-2026-40405 for the specific KB articles, build numbers, and offline update packages applicable to each affected SKU and architecture.
Workarounds
- Restrict inbound network access to vulnerable hosts using host firewalls and network ACLs until patches are applied.
- Place affected Windows Server 2025 systems behind a filtering device that drops malformed or anomalous IP traffic.
- Disable unused network protocols and adapters to reduce the exposed attack surface of the TCP/IP stack.
# Example: block inbound traffic from untrusted segments on a Windows host until patched
New-NetFirewallRule -DisplayName "Mitigate CVE-2026-40405" -Direction Inbound -RemoteAddress "0.0.0.0/0" -Action Block -Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
