CVE-2026-40413 Overview
CVE-2026-40413 is a null pointer dereference vulnerability in the Microsoft Windows TCP/IP networking stack. An unauthorized attacker on an adjacent network can trigger the flaw to deny service to the affected host. The issue is tracked under CWE-476: NULL Pointer Dereference and affects a wide range of supported Windows client and server releases. No authentication or user interaction is required for exploitation, and the scope is changed because the impact extends beyond the vulnerable component to the host's network availability.
Critical Impact
A successful exploit causes a denial-of-service condition in the Windows networking stack, disrupting availability on every supported Windows 10, Windows 11, and Windows Server release listed in the Microsoft advisory.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
- Microsoft Windows Server 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-40413 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-40413
Vulnerability Analysis
The vulnerability resides in the Windows TCP/IP driver, which processes packets at kernel level for IPv4 and IPv6 traffic. A specific input condition causes the driver to dereference a pointer that has not been initialized or has been set to NULL. When the dereference occurs in kernel context, the operating system raises a bug check and halts. The result is a system crash rather than memory corruption or code execution. Because the TCP/IP stack handles untrusted packets directly, an attacker only needs network reachability on the same logical segment to deliver the malformed traffic. The flaw is classified as [CWE-476] and carries an EPSS probability of 0.141% as of 2026-05-17.
Root Cause
The defect is a missing validation step before the driver dereferences a pointer derived from incoming network data. When a crafted packet places the code path into an unexpected state, the pointer remains NULL, and the subsequent read or write triggers a kernel access violation. Microsoft has not published low-level technical detail beyond confirming the null pointer dereference classification.
Attack Vector
The attack vector is adjacent network, meaning the attacker must be positioned on the same broadcast domain, VLAN, or logical link as the target. Exploitation requires no privileges and no user interaction. The attacker sends one or more crafted packets to the target's TCP/IP stack, which causes the driver to dereference a NULL pointer and bug check the host. Repeated transmission can keep the target unavailable for the duration of the attack.
No verified proof-of-concept code is publicly available. Refer to the Microsoft CVE-2026-40413 Advisory for vendor guidance.
Detection Methods for CVE-2026-40413
Indicators of Compromise
- Unexpected BSOD events with bug check codes referencing tcpip.sys in the Windows kernel crash logs.
- System event log entries showing EventID 1001 (BugCheck) clustered across hosts on the same VLAN.
- Sudden loss of network responsiveness on multiple adjacent hosts within a short time window.
Detection Strategies
- Monitor endpoint telemetry for kernel crashes attributing the faulting module to tcpip.sys and correlate with inbound network traffic immediately before the crash.
- Inspect network sensor data for anomalous IPv4 or IPv6 packets, including malformed option fields and unusual fragmentation patterns, sourced from a single adjacent host.
- Baseline expected Layer 2 traffic per segment and alert on traffic spikes from unmanaged or untrusted MAC addresses.
Monitoring Recommendations
- Forward Windows Memory.dmp minidumps and Event Log channels to a centralized analytics pipeline for crash correlation.
- Enable NetFlow or sFlow on access-layer switches to identify the source of suspicious adjacent-network traffic.
- Track patch compliance for the May 2026 Microsoft security update across all Windows 10, Windows 11, and Windows Server assets.
How to Mitigate CVE-2026-40413
Immediate Actions Required
- Apply the May 2026 security update from the Microsoft CVE-2026-40413 Advisory to all affected Windows 10, Windows 11, and Windows Server hosts.
- Prioritize patching of internet-exposed jump hosts, domain controllers, and systems sharing broadcast domains with untrusted endpoints.
- Audit network segmentation to confirm that guest, IoT, and BYOD networks cannot reach production Windows hosts at Layer 2.
Patch Information
Microsoft has released fixes through the standard Windows Update channel for every affected SKU listed in the advisory. Administrators should deploy the cumulative update that corresponds to each operating system version. Validate patch installation by checking the winver build number against Microsoft's published fixed build for the May 2026 release cycle.
Workarounds
- Enforce strict VLAN segmentation and private VLAN isolation to limit which hosts share a broadcast domain with sensitive Windows systems.
- Deploy switch-level controls such as DHCP snooping, ARP inspection, and port security to reduce the likelihood of rogue adjacent attackers.
- Where patching must be delayed, consider host-based firewall rules that restrict inbound IPv6 and uncommon IPv4 protocols from untrusted segments.
# Verify Windows build and confirm the May 2026 cumulative update is installed
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
(Get-CimInstance Win32_OperatingSystem).Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
