Skip to content
Threat Feed
high advisory

CVE-2026-40410 - Windows SMB Client Use-After-Free Privilege Escalation

CVE-2026-40410 is a use-after-free vulnerability in the Windows SMB Client that allows an authorized attacker to elevate privileges locally.

CVE-2026-40410 is a use-after-free vulnerability affecting the Windows SMB Client. This vulnerability allows an attacker with local access and low privileges to elevate their privileges to SYSTEM. Successful exploitation could allow an attacker to execute arbitrary code with elevated permissions. As this vulnerability affects a core component of Windows networking, it is essential to deploy mitigations to prevent potential exploitation. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 7.0 (HIGH).

Attack Chain

  1. An attacker gains initial access to a system with a valid, low-privileged account.
  2. The attacker crafts a malicious SMB request designed to trigger the use-after-free vulnerability in the Windows SMB Client.
  3. The attacker executes code that interacts with the SMB client, triggering the vulnerability.
  4. The SMB client attempts to access a memory location that has already been freed, leading to a crash or controlled code execution.
  5. The attacker leverages the controlled code execution to overwrite critical system data structures.
  6. The attacker elevates their privileges to SYSTEM by manipulating security tokens or other access control mechanisms.
  7. The attacker executes arbitrary code with elevated privileges.

Impact

Successful exploitation of CVE-2026-40410 allows a local attacker to escalate privileges from low-privileged to SYSTEM. This can lead to complete system compromise, including data theft, installation of malware, and disruption of services. The scope of impact is limited to systems where the attacker has local access, but successful exploitation could have severe consequences on affected machines.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-40410 (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40410).
  • Enable Sysmon process creation logging to monitor for unusual processes being spawned by the SMB client.
  • Deploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts.

Detection coverage 2

Detect CVE-2026-40410 Exploitation Attempt - Suspicious SMBClient.sys Process Creation

high

Detects CVE-2026-40410 exploitation attempt by monitoring for suspicious process creation events where the parent process is SMBClient.sys

sigma tactics: defense_evasion, privilege_escalation techniques: T1068 sources: process_creation, windows

Detect CVE-2026-40410 Exploitation Attempt - Abnormal DLL loading by SMBClient.sys

medium

Detects CVE-2026-40410 exploitation via suspicious DLL loading events initiated by SMBClient.sys

sigma tactics: privilege_escalation techniques: T1574.002 sources: image_load, windows

Detection queries are available on the platform. Get full rules →