Skip to content
Threat Feed
high advisory

CVE-2026-40382 - Windows Telephony Service Use-After-Free Elevation of Privilege

CVE-2026-40382 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized attacker to elevate privileges locally.

A use-after-free vulnerability, CVE-2026-40382, exists within the Windows Telephony Service. This flaw enables a locally authenticated attacker to gain elevated privileges on a vulnerable system. The vulnerability stems from improper memory management within the Telephony Service, allowing for the potential execution of arbitrary code with elevated permissions. Exploitation requires an attacker to have valid credentials on the target system. This vulnerability was reported to Microsoft and assigned a CVSS v3.1 base score of 7.8. Successful exploitation leads to a complete compromise of the affected system.

Attack Chain

  1. An attacker gains initial access to the system with valid user credentials.
  2. The attacker executes a specially crafted application or script that interacts with the Windows Telephony Service.
  3. The crafted application triggers the use-after-free condition in the Telephony Service by improperly freeing a memory address.
  4. The attacker then reallocates the freed memory address with attacker-controlled data.
  5. The Telephony Service attempts to access the reallocated memory, now containing attacker-controlled data, leading to code execution.
  6. The attacker executes arbitrary code with elevated privileges, such as SYSTEM.
  7. The attacker installs malware, modifies system settings, or exfiltrates sensitive data.
  8. The attacker maintains persistent access to the compromised system.

Impact

Successful exploitation of CVE-2026-40382 allows a local attacker to elevate their privileges to SYSTEM, granting them complete control over the compromised system. This can lead to data theft, system corruption, or the installation of malware. Given the nature of the vulnerability, any Windows system running the vulnerable Telephony Service is susceptible, potentially impacting a large number of users and organizations.

Recommendation

  • Apply the security update released by Microsoft to address CVE-2026-40382 as soon as possible (Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40382).
  • Monitor for suspicious processes interacting with the Windows Telephony Service using the Sigma rule provided below to detect potential exploitation attempts.
  • Implement the provided Sigma rule to detect potential exploitation attempts through abnormal process creation events related to the Telephony Service.

Detection coverage 2

Detect CVE-2026-40382 Exploitation — Suspicious Process Launch via Telephony Service

high

Detects CVE-2026-40382 exploitation — detects abnormal process creation events related to the Telephony Service indicative of a use-after-free vulnerability exploit.

sigma tactics: privilege_escalation techniques: T1068, T1543.003 sources: process_creation, windows

Detect CVE-2026-40382 Exploitation — Telephony Service launching uncommon processes

medium

Detects CVE-2026-40382 exploitation — Telephony Service (TapiSrv) spawning unusual or malicious processes.

sigma tactics: privilege_escalation techniques: T1068, T1543.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →