Microsoft disclosed and patched three Windows TCP/IP denial-of-service vulnerabilities tracked as CVE-2026-40405, CVE-2026-40413, and CVE-2026-40414. The flaws stem from NULL pointer dereference conditions and can be triggered remotely without user interaction, causing high availability impact. Microsoft rated the issues Important, assigned CVSS scores of 7.5 for CVE-2026-40405 and 7.4 for CVE-2026-40413 and CVE-2026-40414, and said none of the vulnerabilities had been publicly disclosed or exploited in the wild at the time of publication.
Microsoft said CVE-2026-40413 and CVE-2026-40414 are exploitable from an adjacent network, limiting attacks to the same network segment such as a shared switch or virtual network, while CVE-2026-40405 is described as remotely exploitable over the network. The company warned that the adjacent-network flaws may involve a scope change, including scenarios in which a low-privilege Hyper-V guest could cross the guest boundary and deny service on the Hyper-V host. Microsoft has released official fixes for all three issues, adding to a broader pattern of Windows networking and TCP/IP denial-of-service advisories published in recent update cycles.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft disclosed CVE-2026-40414 as an Important Windows TCP/IP denial-of-service vulnerability caused by a NULL pointer dereference, with CVSS 7.4. Microsoft stated it was not publicly disclosed or exploited in the wild, described a possible Hyper-V guest boundary-crossing DoS scenario, and provided an official fix.
Microsoft disclosed CVE-2026-40413 as an Important Windows TCP/IP denial-of-service vulnerability caused by a NULL pointer dereference, with CVSS 7.4. The company said the flaw was not publicly disclosed or exploited, noted adjacent-network attack conditions including a possible Hyper-V guest-to-host DoS scenario, and released a fix.
Microsoft disclosed CVE-2026-40405 as an Important Windows TCP/IP denial-of-service vulnerability caused by a NULL pointer dereference, with CVSS 7.5. Microsoft said it was not publicly disclosed or exploited at publication, assessed exploitation as less likely, and made an official fix available.
Microsoft published a Security Update Guide entry for CVE-2025-21352, an Internet Connection Sharing (ICS) denial-of-service vulnerability. The publication indicates the issue was formally acknowledged and addressed by Microsoft on that date.
Microsoft released Security Update Guide entries for CVE-2024-38232 and CVE-2024-38233, both described as Windows Networking denial-of-service vulnerabilities. Their publication marks formal disclosure and availability of Microsoft guidance or fixes.
Microsoft published a Security Update Guide entry for CVE-2023-36602, a Windows TCP/IP denial-of-service vulnerability. The advisory indicates the vulnerability was formally disclosed and addressed by Microsoft on that date.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.