Windows TCP/IP Remote Code Execution Vulnerability

Plan PatchCVSS 8.1CVE-2026-40415May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A use-after-free vulnerability in the Windows TCP/IP stack allows an attacker on the network to send specially crafted packets and execute code remotely without authentication. The vulnerability affects Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2019, 2022, and 2025 on all architectures (32-bit, x64, ARM64). Exploitation is currently assessed as unlikely, but a security update is available.

What this means

What could happen

An attacker on the network could send specially crafted TCP/IP packets to a vulnerable Windows system, potentially allowing remote code execution with the same privileges as the TCP/IP stack. This could enable an attacker to disrupt network operations or compromise any system relying on that Windows machine for OT connectivity.

Who's at risk

Windows system administrators responsible for any Windows 10, Windows 11, Windows Server 2019, 2022, or 2025 deployments in or connected to OT networks. This includes engineering workstations, HMI servers, historian systems, and any Windows-based data acquisition or control interfaces in water utilities, electric utilities, or other critical infrastructure.

How it could be exploited

An attacker sends a malformed TCP/IP packet from the network to the target Windows system. The TCP/IP stack processes the packet and triggers a use-after-free memory error, allowing the attacker to inject and execute arbitrary code on the host without authentication.

Prerequisites

Network-level access to the target Windows system on the TCP/IP layer (no higher-level service credentials needed)
No user interaction required

remotely exploitableno authentication requiredlow complexityaffects network infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (23)

23 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Microsoft's May 2026 security update (or later) to all affected Windows versions: Build 10.0.17763.8755 for Windows 10 1809/Server 2019, Build 10.0.20348.5139 for Server 2022, Build 10.0.19044.7291 for Windows 10 21H2, Build 10.0.19045.7291 for Windows 10 22H2, Build 10.0.26100.32860 for Server 2025, Build 10.0.26200.8457 for Windows 11 25H2, Build 10.0.22631.7079 for Windows 11 23H2, Build 10.0.25398.2330 for Server 2022 23H2, Build 10.0.26100.8457 for Windows 11 24H2, Build 10.0.28000.2113 for Windows 11 26H1

CVEs (1)

CVE-2026-40415

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d570bbc-24bf-4425-9ca3-9d50970bf54e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.