Skip to content
Threat Feed
medium advisory

CVE-2026-40405 - Windows TCP/IP Null Pointer Dereference DoS

CVE-2026-40405 describes a null pointer dereference vulnerability in Windows TCP/IP, allowing an unauthenticated attacker to cause a denial of service over a network.

CVE-2026-40405 is a denial-of-service vulnerability affecting the Windows TCP/IP stack. An unauthenticated, remote attacker can exploit this vulnerability to cause a null pointer dereference, leading to a denial-of-service condition on the affected system. The vulnerability resides within the Windows TCP/IP implementation and can be triggered by sending a specially crafted network packet. Microsoft has released a security update to address this vulnerability; defenders should apply the relevant patch as soon as feasible. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.

Attack Chain

  1. The attacker identifies a vulnerable Windows system exposed on the network.
  2. The attacker crafts a malicious TCP/IP packet specifically designed to trigger the null pointer dereference.
  3. The attacker sends the crafted packet to the target system over the network (port 80 or 443).
  4. The Windows TCP/IP stack processes the packet.
  5. The malicious packet triggers a null pointer dereference within the TCP/IP stack’s code.
  6. The null pointer dereference causes the system to crash or become unresponsive.
  7. The target system experiences a denial-of-service condition, disrupting network services.

Impact

Successful exploitation of CVE-2026-40405 results in a denial-of-service condition on the targeted Windows system. This can disrupt network services, prevent legitimate users from accessing resources, and potentially cause data loss. Given the nature of the vulnerability, any Windows system using TCP/IP may be affected until patched, impacting both servers and workstations in various sectors.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-40405. See the advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40405.
  • Monitor network traffic for suspicious or malformed TCP/IP packets that may be indicative of exploitation attempts using the provided Sigma rule.
  • Consider using network intrusion detection systems (NIDS) to identify and block malicious traffic targeting CVE-2026-40405.

Detection coverage 2

Detect CVE-2026-40405 Exploitation Attempt - Malformed TCP Packet

medium

Detects CVE-2026-40405 exploitation attempt by identifying malformed TCP packets that may trigger a null pointer dereference.

sigma tactics: availability techniques: T1499.004 sources: network_connection, windows

Detect CVE-2026-40405 Exploitation Attempt - High Volume of TCP Resets

low

Detects CVE-2026-40405 exploitation by identifying a sudden increase in TCP reset packets originating from a single host, potentially indicating a denial-of-service attempt.

sigma tactics: availability techniques: T1499.004 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →