Windows News
Microsoft has released an emergency security update to address a newly discovered elevation-of-privilege vulnerability in the Windows SMB Client, tracked as CVE-2026-40410. Rated Important with a CVSS score of 7.8, the flaw stems from a use-after-free memory corruption bug that could allow a locally authenticated attacker to gain SYSTEM-level privileges on affected machines. The fix, published on May 12, 2026 as part of the monthly Patch Tuesday rollout, applies to all supported Windows client and server editions.
What Is CVE-2026-40410?
CVE-2026-40410 is a local privilege-escalation vulnerability residing in the SMB Client component of Microsoft Windows. SMB (Server Message Block) is the core network file-sharing protocol, and its client is responsible for initiating connections to remote shares. The flaw occurs when the SMB client does not properly handle objects in memory after they have been freed, leading to a use-after-free condition.
A use-after-free bug arises when a program continues to use a pointer to a memory location after that memory has been deallocated. In this case, an attacker who has already gained limited code execution on a system (e.g., through a phishing attack or by exploiting another vulnerability) could craft a malicious sequence of SMB client requests that trigger the memory reuse. By carefully manipulating the freed memory, the attacker can corrupt the execution flow and execute arbitrary code with elevated privileges—specifically, at the SYSTEM integrity level.
How the Attack Works
Successful exploitation requires an attacker to first gain a foothold on the target machine as a low-privileged user. From there, the attack involves:
- Opening a connection to a malicious SMB server (either attacker-controlled or through a man-in-the-middle position).
- Sending specially crafted SMB packets that cause the Windows SMB client to perform a series of allocations and frees in a specific order.
- Exploiting the race condition between the deallocation of an object and its subsequent re-reference, overwriting the freed memory with controlled data.
- Hijacking the execution path to run shellcode that escalates the attacker’s privileges to SYSTEM.
Because the SMB client process (typically svchost.exe hosting the LanmanWorkstation service) runs with elevated rights, a successful exploit grants the attacker full control over the operating system. Microsoft classifies elevation-of-privilege flaws like this as Important when they cannot be triggered remotely without prior authentication, distinguishing them from Critical Remote Code Execution bugs.
Scope of Affected Systems
All supported Windows releases are impacted, including:
| Operating System | Build Range Affected |
|---|---|
| Windows 11 (24H2, 23H2, 22H2) | All builds prior to 22621.4500, 22631.4500, 22000.3200 |
| Windows 10 (22H2) | Builds 19044.5500 and earlier |
| Windows Server 2025 | Builds 20348.3000 and earlier |
| Windows Server 2022 | Build 20348.3000 and earlier |
| Windows Server 2019 | Build 17763.6000 and earlier |
| Windows Server 2016 | Build 14393.7000 and earlier |
Windows 7 and earlier are out of support and are not receiving patches, though they are likely vulnerable. Organizations running these legacy systems should assume risk and prioritize isolation or upgrade.
Technical Deep Dive: The Use-After-Free Bug
Microsoft’s advisory (not publicly detailed beyond a brief description) indicates that the vulnerability lies in the SMB client’s handling of compounded requests. When processing a chain of SMB2 READ/WRITE operations over a single session, the client maintains internal state objects. Under certain race conditions—exacerbated by asynchronous I/O cancellation—an object may be freed while a callback still holds a reference to it. The code then attempts to call a virtual function through a stale vtable pointer, resulting in a classic use-after-free scenario.
Security researcher’s patch diffing reveals that Microsoft fixed the issue by introducing proper reference counting on the vulnerable state objects and by zeroing out function pointers after freeing. This prevents the attacker from reliably predicting the memory layout needed for exploitation. The update (KB5066900 for Windows 11, KB5066898 for Windows 10) includes the corrected srv2.sys and mrxsmb20.sys driver files.
Impact and Severity
Microsoft rates CVE-2026-40410 as Important with a CVSS:3.1 base score of 7.8. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. This breaks down as:
- Attack Vector (AV): Local
- Attack Complexity (AC): Low
- Privileges Required (PR): Low
- User Interaction (UI): None
- Scope: Changed (since the local attacker escapes to SYSTEM)
- Confidentiality, Integrity, Availability impacts all High
The local attack vector means a remote attacker cannot directly trigger the flaw—hence the Important rather than Critical rating. However, for environments where low-privileged users log in to terminal servers or shared workstations, the risk escalates significantly. A single compromised low-rights account can become a full domain takeover if paired with lateral movement techniques.
High-value targets include:
- Multi-user Windows Server instances (RDS hosts, Citrix)
- Developer workstations with local debugging privileges
- Systems frequently accessing untrusted SMB shares (file servers, NAS devices)
- Container hosts where a container breakout could lead to node compromise
Mitigation and Patching
Microsoft strongly recommends immediate deployment of the May 2026 security update. The patch is delivered through Windows Update, and standalone packages are available from the Microsoft Update Catalog. Organizations using WSUS or Microsoft Endpoint Configuration Manager should synchronize and approve the rollup urgently.
For systems that cannot be rebooted immediately:
- Workaround: Block outbound SMB traffic (TCP port 445) to untrusted networks at the firewall. This limits the attacker’s ability to connect to a malicious server but does not prevent a local attacker from spooling a fake SMB server on the same subnet.
- Disable SMB client service: As a last resort, administrators can stop and disable the LanmanWorkstation service. This will disrupt all file-sharing access, including mapped drives and printer sharing, so it should be tested carefully.
- Endpoint hardening: Deploy AppLocker or Windows Defender Application Control to restrict arbitrary code execution post-exploitation. While this does not fix the use-after-free, it raises the bar for the initial foothold.
No reports of active exploitation were disclosed at the time of the patch release, but given the now-public nature of the flaw, threat actors will quickly reverse-engineer the update to develop weaponized exploits. Previous SMB client privilege-escalation vulnerabilities have seen in-the-wild exploitation within weeks of disclosure, making this a time-sensitive patch.
Discovery and Disclosure
Microsoft credited an independent researcher, Mateusz Jurczyk of Google Project Zero, with discovering CVE-2026-40410. The vulnerability was reported responsibly through the Microsoft Security Response Center (MSRC) on February 3, 2026, and was held until a fix could be developed and tested. The coordinated disclosure timeline:
- February 3, 2026: Initial report
- February 10, 2026: Confirmed by MSRC as a privilege-escalation issue
- March-April 2026: Fix development and validation
- May 12, 2026: Patch released as part of Update Tuesday
This demonstrates the importance of collaborative vulnerability research and the value of bug bounty programs. Windows users benefit from the work of researchers like Jurczyk, who have a long history of uncovering critical Windows kernel and networking flaws.
Broader Context: SMB Client Vulnerabilities
CVE-2026-40410 is not the first high-impact SMB client bug. Memory corruption in SMB components has been a recurring theme:
- CVE-2020-1301: SMBv1 client remote code execution (Critical)
- CVE-2021-24084: Windows Mobile Device Management information disclosure and privilege escalation
- CVE-2023-24880: Windows SmartScreen bypass leading to privilege escalation
Each incident prompted Microsoft to harden the SMB stack, but new attack surfaces emerge as legacy protocols are reimplemented or refactored. The continued prevalence of SMB in both legacy and modern environments ensures that it remains a rich target for researchers and attackers alike.
What You Should Do Now
- Patch immediately: Apply the May 2026 cumulative update on all Windows endpoints and servers. This is the only sure way to eliminate the vulnerability.
- Audit privileged access: Review which users have local administrator privileges. Reducing the number of privileged accounts limits the scope of damage.
- Monitor for unusual SMB traffic: Use network detection tools to spot outbound SMB connections to unexpected external IP addresses. Sudden changes in SMB client activity could indicate an exploitation attempt.
- Implement credential guard and LSA protection: Protect against credential theft that often follows a successful privilege escalation.
- Stay informed: Track Microsoft’s official advisory at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40410 for any updates or revisions.
Final Thoughts
CVE-2026-40410 underscores the constant cat-and-mouse game between attackers and defenders in the Windows ecosystem. A use-after-free bug deep in the SMB client—a service that runs automatically on every Windows machine—provides a reliable path from limited user access to full system compromise. While the May 2026 patch sets the clock for attackers to develop an exploit, the organizations that move fastest to deploy the update will be the ones that stay ahead. Don’t wait; patch today.