{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tcp/ip/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40405"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TCP/IP"],"_cs_severities":["medium"],"_cs_tags":["dos","cve","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40405 is a denial-of-service vulnerability affecting the Windows TCP/IP stack. An unauthenticated, remote attacker can exploit this vulnerability to cause a null pointer dereference, leading to a denial-of-service condition on the affected system. The vulnerability resides within the Windows TCP/IP implementation and can be triggered by sending a specially crafted network packet. Microsoft has released a security update to address this vulnerability; defenders should apply the relevant patch as soon as feasible. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Windows system exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious TCP/IP packet specifically designed to trigger the null pointer dereference.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted packet to the target system over the network (port 80 or 443).\u003c/li\u003e\n\u003cli\u003eThe Windows TCP/IP stack processes the packet.\u003c/li\u003e\n\u003cli\u003eThe malicious packet triggers a null pointer dereference within the TCP/IP stack\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe null pointer dereference causes the system to crash or become unresponsive.\u003c/li\u003e\n\u003cli\u003eThe target system experiences a denial-of-service condition, disrupting network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40405 results in a denial-of-service condition on the targeted Windows system. This can disrupt network services, prevent legitimate users from accessing resources, and potentially cause data loss. Given the nature of the vulnerability, any Windows system using TCP/IP may be affected until patched, impacting both servers and workstations in various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-40405. See the advisory at \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40405\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40405\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious or malformed TCP/IP packets that may be indicative of exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eConsider using network intrusion detection systems (NIDS) to identify and block malicious traffic targeting CVE-2026-40405.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:47:30Z","date_published":"2026-05-12T18:47:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40405/","summary":"CVE-2026-40405 describes a null pointer dereference vulnerability in Windows TCP/IP, allowing an unauthenticated attacker to cause a denial of service over a network.","title":"CVE-2026-40405 - Windows TCP/IP Null Pointer Dereference DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40405/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40399"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TCP/IP"],"_cs_severities":["high"],"_cs_tags":["privilege escalation","buffer overflow","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40399 is a stack-based buffer overflow vulnerability within the Windows TCP/IP protocol stack. This vulnerability allows an attacker with local access and valid credentials to elevate their privileges on the targeted system. Exploitation requires an attacker to be authenticated on the system, reducing the attack surface compared to unauthenticated remote code execution vulnerabilities. Microsoft has assigned this CVE a CVSS v3.1 score of 7.8, indicating a high severity. Successful exploitation results in a complete compromise of the affected system due to the privilege escalation achieved.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated local access to a vulnerable Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious TCP/IP packet or series of packets.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted packets to the local system via a socket.\u003c/li\u003e\n\u003cli\u003eThe Windows TCP/IP stack processes the malicious packet(s), triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent stack memory, including return addresses and function pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects control flow to attacker-controlled code or ROP gadgets.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with elevated privileges (SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe attacker performs privileged actions, such as installing malware, modifying system settings, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40399 allows a local attacker to escalate their privileges to SYSTEM. This results in complete control over the compromised system. The impact includes unauthorized data access, modification of system configuration, installation of malicious software, and lateral movement within the network if the compromised system has network connectivity. The vulnerability affects any system where a user has local access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-40399 as soon as possible (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40399)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40399)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual network activity originating from processes running with elevated privileges, using process_creation and network_connection logs.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Network Activity from Elevated Processes\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to detect unusual processes being spawned by the network service (logsource: process_creation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:46:38Z","date_published":"2026-05-12T18:46:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40399-tcpip-privesc/","summary":"CVE-2026-40399 is a stack-based buffer overflow vulnerability in the Windows TCP/IP stack, allowing an authenticated local attacker to elevate privileges.","title":"CVE-2026-40399 - Windows TCP/IP Stack-Based Buffer Overflow Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40399-tcpip-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-33837"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TCP/IP"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","buffer-overflow","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-33837 describes a heap-based buffer overflow vulnerability present in the TCP/IP stack of Microsoft Windows. An attacker who has already gained local access to a system can exploit this flaw to escalate their privileges. The vulnerability stems from improper memory management within the TCP/IP driver when handling network packets. Successful exploitation allows an attacker to execute arbitrary code with elevated privileges. This poses a significant risk to system integrity and confidentiality, potentially granting attackers full control over the compromised machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to a Windows system through legitimate means or exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious network packet designed to trigger the heap-based buffer overflow in the TCP/IP stack.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted packet to the vulnerable system, targeting a specific TCP/IP port.\u003c/li\u003e\n\u003cli\u003eThe Windows TCP/IP driver receives the packet and attempts to process it, allocating memory on the heap.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the allocated buffer is too small to hold the incoming data, resulting in a heap-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow allows the attacker to overwrite adjacent memory regions on the heap, including critical system data structures.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites function pointers or other sensitive data to redirect program execution to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with elevated privileges, granting them complete control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33837 allows a local attacker to escalate privileges to SYSTEM level. This can lead to a complete compromise of the affected system, including data theft, installation of malware, and lateral movement within the network. Given the widespread use of Windows, this vulnerability poses a significant risk to organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-33837 (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33837)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33837)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by the \u003ccode\u003eSystem\u003c/code\u003e account (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:20:05Z","date_published":"2026-05-12T18:20:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-33837/","summary":"CVE-2026-33837 is a heap-based buffer overflow vulnerability in the Windows TCP/IP stack that allows an authenticated local attacker to elevate privileges.","title":"CVE-2026-33837 - Windows TCP/IP Heap-Based Buffer Overflow for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-33837/"}],"language":"en","title":"CraftedSignal Threat Feed — TCP/IP","version":"https://jsonfeed.org/version/1.1"}