{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-smb-client/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-40410"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows SMB Client"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","smb","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40410 is a use-after-free vulnerability affecting the Windows SMB Client. This vulnerability allows an attacker with local access and low privileges to elevate their privileges to SYSTEM. Successful exploitation could allow an attacker to execute arbitrary code with elevated permissions. As this vulnerability affects a core component of Windows networking, it is essential to deploy mitigations to prevent potential exploitation. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 7.0 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with a valid, low-privileged account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMB request designed to trigger the use-after-free vulnerability in the Windows SMB Client.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code that interacts with the SMB client, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe SMB client attempts to access a memory location that has already been freed, leading to a crash or controlled code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the controlled code execution to overwrite critical system data structures.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their privileges to SYSTEM by manipulating security tokens or other access control mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code with elevated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40410 allows a local attacker to escalate privileges from low-privileged to SYSTEM. This can lead to complete system compromise, including data theft, installation of malware, and disruption of services. The scope of impact is limited to systems where the attacker has local access, but successful exploitation could have severe consequences on affected machines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-40410 (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40410)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40410)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor for unusual processes being spawned by the SMB client.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:57:30Z","date_published":"2026-05-12T18:57:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40410-smb-privesc/","summary":"CVE-2026-40410 is a use-after-free vulnerability in the Windows SMB Client that allows an authorized attacker to elevate privileges locally.","title":"CVE-2026-40410 - Windows SMB Client Use-After-Free Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40410-smb-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows SMB Client","version":"https://jsonfeed.org/version/1.1"}