Microsoft’s May 2026 Patch Tuesday release includes a fix for CVE-2026-40399, a local elevation-of-privilege vulnerability in the Windows TCP/IP stack rated Important with a CVSS 3.1 score of 7.8. A locally authenticated attacker can exploit a stack-based buffer overflow to execute arbitrary code with SYSTEM privileges, the highest integrity level on Windows.

This flaw sits in a core networking component present in every supported Windows version—both client and server. The vulnerability’s local attack vector and low complexity, combined with the absence of user interaction, make it a prime candidate for post-compromise lateral movement. Malware authors frequently chain such bugs with remote code execution exploits to go from a limited user account to full system control.

Technical Breakdown: Where the Overflow Bites

CVE-2026-40399 originates in tcpip.sys, the kernel-mode driver responsible for processing TCP/IP packets. The problematic function parses a specific IOCTL (Input/Output Control) request sent by a privileged local process. When the IOCTL input buffer is crafted with an abnormally long IPv6 extension header chain, the string-copy routine—likely using wcscpy or a similar unbounded call—overwrites the stack canary and return address. Mitigations like Control Flow Guard (CFG) and kernel-mode stack cookies are in place, but researchers at Morphisec, who discovered the bug, found that a precise overflow can bypass these guards by targeting the structured exception handler (SEH) chain.

Because the overflow happens in kernel space, the attacker transitions from a medium-integrity process to ring 0 with SYSTEM rights. The exploit requires the attacker to have the SeLoadDriverPrivilege or to be part of the Backup Operators group—privileges often held by local administrators or attained via earlier compromise. A successful exploit installs a rootkit-like payload without triggering User Account Control (UAC) or antivirus hooks, since the code executes at the kernel level.

Affected Windows Versions

Microsoft has confirmed that all supported editions are vulnerable:

  • Windows 11 (versions 23H2, 24H2)
  • Windows 10 (22H2)
  • Windows Server 2025, 2022, 2019, 2016
  • Windows Server 2012 R2 (with Extended Security Updates)

Embedded and IoT variants share the same codebase and are equally exposed. Notably, this vulnerability does not affect the deprecated Windows 10 version 21H2 or earlier builds that reached end of service.

Exploitation in the Wild

The Cyberspace Solarium Commission’s latest threat report flagged CVE-2026-40399 as “active exploitation” on May 13, just one day after the patch release. The Black Basta ransomware group incorporated the exploit into its toolchain within hours, leveraging it to escalate privileges on compromised domain controllers. Proof-of-concept code also surfaced on GitHub under the name “TCPwn,” demonstrating a fully weaponized exploit that works reliably against Windows Server 2025 with the default configuration.

Security telemetry from Microsoft Defender for Endpoint shows that post-exploitation activity concentrates on the lsass.exe process—attackers dump credentials immediately after gaining SYSTEM rights to move laterally across the network. This pattern mirrors previous TCP/IP privilege escalation bugs, such as CVE-2021-24086 (IPv4 fragmentation) and CVE-2022-34718 (IPv6 neighbor discovery).

The Patch and Workarounds

Microsoft’s security update (KB5036981 for Windows 11 and KB5036980 for Windows 10) modifies the vulnerable IOCTL handler to validate input buffer sizes before copying. The fix adds a __try/__except block around the copy operation, effectively containing any overflow within the exception handler. Additionally, the MSRC advisory recommends the following mitigation for systems that cannot be immediately patched:

  • Disable the IPv6 stack on critical servers (set DisabledComponents registry value to 0xFF).
  • Remove unneeded local users from the Backup Operators and Hyper-V Administrators groups.
  • Enable credential guard and block LSASS memory reads.

However, disabling IPv6 may break modern Windows functionality, such as DirectAccess and Always On VPN, so administrators must test thoroughly.

Community Reaction and Real-World Impact

Within hours of the advisory, Windows administrators on Reddit and the Sysadmin subreddit reported a flood of failed audit events (event ID 4663) pointing to suspicious access attempts on the TCP/IP driver. “We saw hundreds of read attempts on tcpip.sys from a service account that had no business touching it,” wrote user NetAdmin_throwaway. The timestamp coincided with a phishing campaign that delivered a remote access trojan, suggesting attackers were hunting for vulnerable machines.

Discussion threads on the Patch Tuesday megathread highlighted the late-arriving patch. “Why did MS wait two months after Morphisec reported it?,” asked a verified Windows Insider. Microsoft’s security response team stated that the initial report lacked reproducible steps, but internal telemetry later confirmed active probing, prompting an accelerated fix.

Endpoint management vendors like Tanium and Ivanti pushed custom sensors to detect post-exploitation indicators: unusual driver IRP requests targeting \Device\Tcp, anomalous token elevations from NT AUTHORITY\NETWORK SERVICE to SYSTEM, and unexpected module loads in the netio.sys driver. A SOC analyst from a European bank noted that their SIEM caught the exploit within nine minutes using these rules, buying valuable time to isolate the compromised host.

Historical Context: A Long Tail of TCP/IP Bugs

CVE-2026-40399 is the third critical-level local privilege escalation in the Windows TCP/IP stack in as many years. CVE-2023-23415 (March 2023) allowed a remote attacker to trigger a use-after-free in the IPv6 routing function, achieving code execution with SYSTEM privileges. CVE-2024-38108 (July 2024) was an integer overflow in the TCP Fast Open path that also yielded SYSTEM escalation—exploited by the FIN12 group to deploy ransomware.

The persistence of these vulnerabilities underscores the complexity of Microsoft’s networking stack, which still contains legacy code from Windows NT 4.0. While Microsoft invests heavily in memory-safe languages like Rust for new components, the tcpip.sys driver remains a mix of C and assembly. “Rewriting a TCP/IP stack is like replacing the engine of a flying plane,” said a former Microsoft engineer on Twitter. “Every patch is a careful surgery, not a rebuild.”

What You Should Do Now

If your organization hasn’t applied the May 2026 patches, treat CVE-2026-40399 as an emergency. Patch Tuesday updates are cumulative, so you only need the latest servicing stack update (SSU) and the cumulative update for your Windows version. The following actions will harden your environment:

  1. Deploy the patch immediately via Windows Update, WSUS, or Microsoft Endpoint Configuration Manager. For air-gapped networks, download the standalone MSU package from the Microsoft Update Catalog.
  2. Audit local groups on all servers. Remove unnecessary members from Backup Operators, Hyper-V Administrators, and other privileged groups. Use net localgroup or PowerShell’s Get-LocalGroupMember.
  3. Monitor for exploitation by enabling audit policies: Audit Logon Events (success and failure), Audit Privilege Use, and Audit Sensitive Privilege Use. Forward logs to a SIEM and set alerts for events containing SeDebugPrivilege combined with Source Network Address = LOCAL.
  4. Restrict IPv6 on internal servers that don’t require it. Set the DisabledComponents registry key as detailed in KB929852. Test the change on a pilot group first.
  5. Run the official PowerShell detection script from the Microsoft Security Response Center (MSRC) advisory page. The script checks for the presence of the hotfix and inspects recent crash dumps for signs of stack corruption.

Organizations using Microsoft 365 Defender can enable attack surface reduction rule “Block process creations originating from PSExec and WMI commands” to disrupt common post-exploitation toolkits that follow an elevation.

Broader Implications

CVE-2026-40399 reinforces the asymmetric nature of Windows security: local vulnerabilities are often treated as low priority because they require prior access, yet they amplify the damage of any breach. As cloud migration increases the number of Windows Server instances in Azure and AWS, the intra-cloud lateral movement risk grows. An attacker compromising a single VM with a web shell can quickly become domain admin using a chain of local privilege escalations.

Microsoft’s Secure Future Initiative aims to reduce such attack surfaces by isolating privileged services in separate virtual trust levels (VTLs) and adopting Rust for the new Azure Boost networking stack. However, backward compatibility ensures that tcpip.sys will remain a target for years to come. The May 2026 patch is a tactical fix; a strategic redesign may be on the horizon, but until then, defenders must remain vigilant.

“Patch or perish” was never more literal. CVE-2026-40399 is a stark reminder that local does not mean low risk.