Windows TCP/IP Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-40399May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Stack-based buffer overflow in the Windows TCP/IP networking subsystem allows a local user with restricted privileges to escalate to administrative level. The vulnerability exists in all versions of Windows 10 (1607, 1809, 21H2, 22H2) and Windows Server (2016, 2019, 2022, 2025), as well as all Windows 11 versions. Microsoft has released patches for all affected product lines. Exploitation is less likely in the wild but straightforward for an attacker with local system access.

What this means

What could happen

A user with local access could exploit this Windows TCP/IP flaw to gain administrative privileges on the system, potentially enabling them to reconfigure HMIs, modify process setpoints, or disable safety features on networked control systems.

Who's at risk

This vulnerability affects Windows 10 and Windows Server systems (2016, 2019, 2022, 2025) running across all supported versions and architectures. It is relevant to any facility using Windows-based human-machine interfaces (HMIs), data logging systems, engineering workstations, or remote terminal unit (RTU) gateways that require local user accounts or support interactive sessions.

How it could be exploited

An attacker with a user account on the Windows system exploits a stack buffer overflow in the TCP/IP stack by sending crafted packets or making local system calls. This allows them to execute code with administrative privileges without further authentication.

Prerequisites

Local user account on the Windows system
Low complexity exploit; no special network access required

Low complexity local exploitationRequires local user account (not remotely exploitable as a 0-day)Affects a core OS component (TCP/IP stack)Could escalate privileges on critical control system host

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDImplement local host-based firewall rules to restrict inter-process communication if your OT devices do not require peer-to-peer TCP/IP traffic

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

Windows Server 2019

HOTFIXUpdate Windows Server 2019 to Build 10.0.17763.8755 or later

Windows Server 2022

HOTFIXUpdate Windows Server 2022 to Build 10.0.20348.5139 or later

Windows Server 2025

HOTFIXUpdate Windows Server 2025 to Build 10.0.26100.32860 or later

All products

HOTFIXUpdate Windows 10 Version 1809 (32-bit and x64) to Build 10.0.17763.8755 or later

HOTFIXUpdate Windows 10 Version 21H2 to Build 10.0.19044.7291 or later (32-bit, ARM64, x64)

HOTFIXUpdate Windows 10 Version 22H2 to Build 10.0.19045.7291 or later (all architectures)

HOTFIXUpdate Windows 11 (all versions: 23H2, 24H2, 25H2, 26H1) to their respective fixed builds

Long-term hardening

0/1

HARDENINGRestrict local system access to trusted engineering and operations staff only; disable unnecessary user accounts

CVEs (1)

CVE-2026-40399

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8c15556e-78b0-4962-a7d4-6cb6203c7eb1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.