Microsoft’s May 2026 Patch Tuesday brought a fix for a critical denial-of-service vulnerability in the Windows TCP/IP stack that could allow unauthenticated attackers to crash affected systems with a single specially crafted packet. Tracked as CVE-2026-40405, the flaw carries an Important severity rating and affects Windows 11 and Windows Server 2025. Organizations and home users alike should apply the update immediately to prevent service disruptions.

What Is CVE-2026-40405?

CVE-2026-40405 is a denial-of-service vulnerability caused by a null pointer dereference in the Windows TCP/IP stack. An unauthenticated attacker can exploit this weakness by sending a maliciously crafted packet to a vulnerable system, triggering a crash or making the system unresponsive until it is restarted. The attack requires no user interaction, no prior authentication, and can be performed remotely over the network, making it a low-complexity threat for unpatched machines.

The vulnerability was disclosed on May 12, 2026, as part of Microsoft’s monthly security update cycle. According to the Common Vulnerability Scoring System (CVSS), the base score is likely in the high range (above 7.0) due to the network attack vector, low attack complexity, and lack of required privileges. While Microsoft rates it as “Important” rather than “Critical,” the distinction lies in the impact: CVE-2026-40405 only causes a denial of service, not arbitrary code execution or privilege escalation. Nevertheless, for environments where uptime is paramount, the risk is severe.

Technical Details: Null Pointer Dereference in TCP/IP

At the heart of CVE-2026-40405 is a classic null pointer dereference flaw. When the Windows TCP/IP stack processes certain malformed packets—likely in the IPv4 or IPv6 header—a code path attempts to access a memory address that has been set to zero (null). The resulting exception crashes the networking component responsible for handling incoming packets.

Such bugs often slip through testing because they require unusual or non-standard packet formats that normal traffic never generates. Security researchers typically discover them through fuzzing, a technique that bombards the protocol stack with random or semi-random inputs. Microsoft’s advisory suggests that the vulnerability exists in the way Windows handles specific IP packet fragments or options, though exact details remain limited to prevent weaponization before patches are widely deployed.

Because the attack surface is the network stack, any system that accepts IP packets can be targeted. This includes web servers, domain controllers, file servers, and even client workstations. An attacker on the same local network or the broader internet can send the malicious packet; no prior compromise of the network perimeter is required.

Affected Platforms

CVE-2026-40405 specifically impacts:

  • Windows 11 (all editions and architectures)
  • Windows Server 2025 (including Server Core installations)

Older operating systems such as Windows 10, Windows Server 2022, and earlier versions appear unaffected, based on Microsoft’s initial advisory. This limited scope points to a code regression introduced relatively recently, possibly in the new TCP/IP stack enhancements delivered with Windows 11 and Server 2025. The fix isolates the affected code and adds proper null-pointer checks before dereferencing.

For IT administrators, verifying the exact patch level is critical. The security update is distributed through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. The May 2026 cumulative update for Windows 11 (likely KB503xxxx) and the corresponding Server 2025 update contain the fix. Microsoft’s advisory also notes that no other mitigations exist; applying the patch is the only way to prevent exploitation.

How the Attack Works

Exploitation of CVE-2026-40405 is straightforward. An attacker crafts an IP packet with specific malformed fields—possibly a fragmented packet with overlapping offsets or an invalid option in the header. When the target system’s TCP/IP stack processes this packet, the null pointer dereference occurs in a driver or kernel-level function, causing a blue screen of death (BSOD) or a network stack hang.

On Windows 11 clients, the crash might force an automatic reboot, interrupting user work. On servers, a crash could halt all network services—DHCP, DNS, file sharing, Active Directory—until the server recovers. Repeated attacks could keep a server perpetually offline, effectively achieving a sustained denial-of-service condition.

Worse, because the vulnerability is triggered before any higher-layer protocol processing (such as TCP handshake or application data), perimeter defenses like firewalls and intrusion detection systems might not detect the malicious packet as an anomaly without specific signatures. Post-patch, however, the null-pointer check prevents the crash, and the malformed packet is simply discarded.

Mitigation and Patch Deployment

The primary and only effective countermeasure is to install the May 2026 security update. Microsoft has not provided any workarounds—no registry settings, no network filtering rules, and no protocol disablement can reliably block the exploit without breaking legitimate functionality. The following deployment steps are recommended:

  1. Immediate patch application: For internet-facing servers (web, mail, VPN), treat this update as emergency priority. Even internal servers should be patched promptly to protect against lateral movement after a perimeter breach.
  2. Test in a staging environment: While the risk of patch-induced issues is low, organizations should test the cumulative update on representative systems to ensure application compatibility.
  3. Prioritize Windows Server 2025: Servers have a higher uptime requirement; an outage caused by this DoS could be more disruptive than on a client.
  4. Use automated tools: Deploy via WSUS, Microsoft Endpoint Configuration Manager, or third-party patch management solutions to expedite rollout.

For home users and small businesses, Windows Update will typically download and install the fix automatically if automatic updates are enabled. Users should manually check for updates via Settings > Windows Update and reboot if required.

Beyond patching, network administrators can consider implementing ingress filtering to drop malformed packets at the network edge, but such filtering rules are complex and prone to false positives. Security information and event management (SIEM) systems can be tuned to monitor for unexpected reboots or network stack crashes, which may indicate ongoing exploitation attempts.

Broader Context: TCP/IP Vulnerabilities Continue to Plague Windows

CVE-2026-40405 is not an isolated case. The Windows TCP/IP stack has been a recurring source of critical vulnerabilities. In recent years, high-profile flaws like CVE-2021-24094 (IPv6 fragmentation DoS), CVE-2021-24086 (IPv6 DoS), and CVE-2022-34718 (Remote Code Execution in TCP/IP) demonstrated the ongoing risk in foundational network code.

The complexity of the TCP/IP protocol suite, with its many options, extension headers, and fragmentation mechanisms, makes it a rich attack surface. Microsoft’s decision to rewrite parts of the stack for newer Windows versions introduced performance and security improvements but also brought fresh code that required rigorous scrutiny. The fact that CVE-2026-40405 only affects Windows 11 and Server 2025 suggests it stems from a recent change.

For defenders, the lesson remains consistent: network-accessible services, even those as low-level as the TCP/IP driver, must be kept up to date. The standard advice to minimize attack surface—disable unused services, implement network segmentation, and enforce least privilege—does little against a vulnerability that impacts the basic networking layer. Only patching can eliminate the exposure.

Disclosure Timeline and Credits

Microsoft credited an unnamed security researcher for discovering and responsibly disclosing CVE-2026-40405. No evidence of active exploitation was reported at the time of disclosure, but history shows that once a vulnerability is announced, attackers quickly reverse-engineer the patch to develop exploits. Organizations that delay patching risk being targeted within days.

The vulnerability was privately reported to Microsoft earlier in 2026, following a coordinated disclosure process. The May 2026 Patch Tuesday release was the earliest opportunity to incorporate the fix into the standard update cycle. As always, Microsoft’s security response team urges customers to update immediately.

What This Means for Windows 11 and Server 2025 Users

If you manage even a single Windows 11 device or Server 2025 instance, this vulnerability should be on your radar. For enterprises, a denial-of-service attack can translate into lost revenue, damaged reputation, and operational chaos. For individuals, a crashed PC during a critical task is more than an inconvenience.

The good news is that the fix is simple: patch and reboot. There are no compatibility concerns reported at this stage, and the update includes other quality improvements and security fixes for the month. Delaying the update leaves your systems open to a readily weaponized attack.

Recommendations

  • Patch Immediately: Apply the May 2026 cumulative update to all affected systems. Windows 11 go to Settings > Update & Security > Windows Update. For Server 2025, use the same or your enterprise tooling.
  • Prioritize Internet-Exposed Servers: Any server directly reachable from the internet should be patched first.
  • Monitor for Crashes: If you cannot patch instantly, at least configure monitoring to detect sudden system restarts or network outages.
  • Stay Informed: Bookmark the MSRC advisory for CVE-2026-40405 for any late-breaking changes or exploitation reports.

Microsoft’s advisory will be updated if active attacks are detected or if additional platforms are found vulnerable. Keep an eye on the official guidance for any refinements.

CVE-2026-40405 underscores a timeless truth in cybersecurity: the foundation must be secure. When the very code that puts packets on the wire is flawed, nothing above it can be trusted. With the patch in hand, Windows 11 and Server 2025 users can close this door and keep their systems running.