Microsoft disclosed CVE-2026-40408 on May 12, 2026, as part of its monthly Patch Tuesday security updates. This Important-rated elevation-of-privilege vulnerability resides in the Windows WAN ARP Driver, a kernel-mode component responsible for handling Address Resolution Protocol traffic over wide area network interfaces. Successful exploitation allows a local attacker to gain SYSTEM-level privileges, the highest integrity level on a Windows machine.

The vulnerability is a classic use-after-free bug in the wanarp.sys driver. When the driver processes crafted I/O requests, it can free a memory object while still retaining a dangling pointer. Later reuse of that pointer leads to arbitrary code execution in the kernel context. Attackers who can run code on a target system—even at low integrity—can leverage this bug to break out of sandboxes, bypass security boundaries, and take complete control over the device.

Technical Breakdown: Use-After-Free in wanarp.sys

Use-after-free (UAF) vulnerabilities occur when a program retains a reference to a memory location after it has been freed. The Windows WAN ARP Driver fails to properly synchronize access to certain internal data structures during the handling of ARP requests or custom IOCTLs. An attacker who crafts a sequence of operations can trigger a race condition that frees a kernel pool allocation while another thread still expects it to be valid.

The typical attack flow involves:
- Initial access: The attacker executes code on the target system, for example via a compromised user-mode application or a malicious document macro.
- Triggering: The attacker sends specially crafted IOCTL requests to the WAN ARP driver, often through DeviceIoControl calls.
- Memory corruption: A race window is exploited to free a kernel object; the attacker then allocates a new object of the same size to reclaim the freed memory. This object can be controlled with attacker-chosen data.
- Privilege escalation: The stale pointer is dereferenced to call a function pointer or write to a critical data structure, ultimately leading to token stealing or disabling of security checks.

Microsoft classifies CVE-2026-40408 as “Important” under its severity rating system. While not “Critical” because it requires local access, the impact is still significant. Elevation to SYSTEM enables attackers to disable security products, install persistent implants, and access sensitive data across all user accounts.

Affected Systems and Scope

CVE-2026-40408 impacts all supported versions of Windows at the time of disclosure. According to Microsoft’s advisory, this includes:
- Windows 11 (versions 23H2, 24H2, and the then-current LTSC editions)
- Windows 10 (versions 21H2 and later Enterprise/Education SKUs still under servicing)
- Windows Server 2022, 2025, and Server Core installations
- Windows Server, version 23H2

Because the WAN ARP driver is a standard component shipped with the operating system, any machine with the WAN Miniport (IP) adapter enabled is potentially vulnerable, even if no physical WAN hardware is present. In many default configurations, this adapter is installed as part of the networking stack, making the attack surface widely available.

Microsoft’s advisory does not list any mitigating factors like reduced attack vector on certain editions. The vulnerability is considered broadly exploitable, though no public proof-of-concept code or active exploitation had been observed at the time of disclosure. The CVSS score and vector have not been published officially, but third-party assessments suggest a base score in the range of 7.0–8.0, reflecting the high integrity impact with a low attack complexity.

The Patch and How It Fixes the Issue

The May 2026 Patch Tuesday update addresses the race condition by implementing proper locking and reference counting around the vulnerable objects. The fix ensures that memory is not freed while references are still outstanding and that access to shared structures is serialized correctly.

Microsoft does not disclose the exact KB article numbers for individual CVEs unless queried through the Security Update Guide. Administrators should look for the cumulative update corresponding to their OS build. These updates are delivered via Windows Update, WSUS, and the Microsoft Update Catalog. The patches are cumulative and include all previous security fixes, so deploying the May 2026 update will also resolve other vulnerabilities disclosed that month.

Contrary to some past kernel bugs, no workarounds are listed for CVE-2026-40408. Microsoft does not recommend disabling the WAN ARP driver or removing the WAN Miniport adapter, as this could break legitimate functionality for remote access (VPN) or routing scenarios. The only effective mitigation is applying the patch.

Real-World Exploitation Potential

Privilege escalation vulnerabilities in Windows kernel drivers remain a high-value commodity for attackers. Though use-after-free bugs are harder to weaponize reliably than simpler null pointer dereferences, mature exploit developers have demonstrated over the years that they can craft stable exploits with high success rates. The local nature of this CVE means it is most useful in chained attacks, where the attacker has already obtained initial code execution but needs SYSTEM privileges to achieve their goals.

Common attack chains may involve:
- Phishing deliveries that execute a low-privilege payload, followed by an EoP exploit for persistence.
- Browser or document-based sandbox escapes, pairing a renderer compromise with a kernel bug to break out of the sandbox.
- Lateral movement tools that first compromise a low-privilege domain user, then pivot to SYSTEM on the local box to steal credentials or move deeper into the network.

Although the advisory does not mention known exploitation at the time of release, the technical details of the fix can be reverse-engineered by comparing patched and unpatched binaries. This makes it likely that exploit code will surface within weeks. “Patch diffing” is a common technique for vulnerability researchers and threat actors alike. Organizations must test and deploy the update rapidly.

Patching Guidance and Deployment Considerations

Security teams should prioritize the deployment of the May 2026 cumulative updates based on their risk posture. While the base severity is “Important,” the accessibility of the attack surface and the high impact warrant an expedited rollout for systems where untrusted users can execute code. This includes multi-user servers, workstations, and virtual desktop infrastructure.

Key steps:
- Inventory systems to identify all Windows endpoints and servers still under support.
- Download and test the cumulative update in a staging environment that mirrors production.
- Validate that line-of-business applications, VPN clients, and network tools continue to function after patching—the wanarp.sys driver is often used by third-party VPN solutions.
- Push the update through normal change management processes, but consider emergency change windows for high-risk assets.
- Monitor for post-patch stability issues; kernel driver changes sometimes expose timing-based compatibility bugs.

For air-gapped or highly regulated environments, consider using the Microsoft Security Update Guide to download standalone packages.

Broader Context: Kernel Driver Vulnerabilities in 2025–2026

CVE-2026-40408 reflects a continuing trend of memory safety bugs in legacy Windows drivers. The WAN ARP driver, like many others, was originally developed in the 1990s and has seen only incremental maintenance. Microsoft’s shift toward Rust for new kernel code aims to eliminate entire classes of vulnerabilities, but rewriting decades-old C/C++ components is a long-term undertaking. In the interim, attackers will continue to find and exploit use-after-free, buffer overflow, and uninitialized memory bugs in the kernel.

This vulnerability also underscores the importance of defense-in-depth. Security tools that block unexpected IOCTL calls, enforce Control Flow Guard (CFG), and monitor for anomalous process behavior can provide partial mitigation before patching. Microsoft Defender for Endpoint and various third-party solutions have behavior-based detection for common exploit primitives, but no single detection is foolproof.

The May 2026 Patch Tuesday likely includes other kernel-level fixes. Security analysts should review the full release for related vulnerabilities in the networking stack. As always, coordination with vulnerability management programs and threat intelligence feeds will help prioritize the most impactful patches.

Conclusion and Next Steps

CVE-2026-40408 is a textbook use-after-free elevation-of-privilege bug that hands SYSTEM access to any attacker on the box. The “Important” rating should not lull defenders into complacency. With a broad install base and no practical workaround, timely patching is the only sure defense. Organizations that delay patch deployment risk leaving a door open for attackers who can chain this bug with other exploits to achieve full compromise.

The disclosure comes at a time when Windows 10 end-of-support dates are approaching for many organizations, making it critical to inventory outdated systems and plan upgrades. For now, applying the May 2026 cumulative update is the immediate action. As exploit code becomes publicly available, the urgency will only increase.