Microsoft’s July 14, 2026 security updates fix CVE-2026-40378, a remotely reachable denial-of-service vulnerability in the Windows Local Security Authority Subsystem Service, better known as LSASS. An unauthenticated attacker can reportedly trigger excessive memory allocation over a network, potentially disrupting authentication services and forcing affected Windows systems or domain controllers out of service.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-40378 carries a CVSS 3.1 base score of 7.5 High. The vulnerability requires no privileges or user interaction, and Microsoft’s scoring assumes low attack complexity and high availability impact.
For administrators, the practical response is straightforward: install the July 2026 cumulative security updates, verify that systems have reached the fixed builds, and give exposed authentication infrastructure priority in deployment testing.
LSASS is not an ordinary background process. It enforces Windows security policies, authenticates users, handles password changes, creates access tokens, and supports technologies including Active Directory, Kerberos, and NTLM.
That makes an LSASS denial of service materially different from the crash of a peripheral application. On a workstation, loss of LSASS can terminate the Windows session or cause the operating system to shut down or restart. On a domain controller, disruption can interfere with logons, ticket issuance, directory-backed authentication, and applications that depend on Active Directory.
Microsoft describes the underlying weakness as a memory allocation operation using an excessive size value. The issue is categorized as CWE-789, Memory Allocation with Excessive Size Value, a class of bug in which attacker-controlled or insufficiently constrained input causes software to request an unreasonable amount of memory.
The published CVSS vector is
The score assigns no confidentiality or integrity impact. Microsoft is therefore not describing CVE-2026-40378 as a route to credential theft, code execution, or privilege escalation. Its documented effect is loss of availability, although taking authentication infrastructure offline can still produce a serious business outage.
Affected client branches include:
Administrators should use the Microsoft Security Update Guide and their servicing tools as the authority for the exact package associated with each operating-system release. Build comparisons are particularly useful where inventory products report the OS revision reliably but do not immediately map the installed cumulative update to every CVE it resolves.
The broad product range matters because older Windows Server systems are frequently retained for identity services, line-of-business applications, and isolated operational networks. A server being unavailable from the public internet does not remove the risk when an attacker has already gained access to another host on the corporate network.
That combination warrants attention without turning the vulnerability into a claimed zero-day emergency. At publication, the available records do not establish active exploitation, and Microsoft’s description does not indicate that technical exploit details or a public proof of concept were available.
The report confidence language shown in the advisory explains how confidently a vulnerability and its technical characteristics are known. It is not a probability that an individual organization will be attacked. A confirmed vendor record means defenders and potential attackers have credible information that the flaw exists, but it does not by itself demonstrate exploitation in the wild.
Network attackability also does not automatically mean that every Windows PC can be crashed directly from the internet. Actual exposure depends on network filtering, reachable Windows services, host roles, segmentation, and the protocol path used to deliver the malformed input. Microsoft’s public description is not yet detailed enough to identify a safe firewall workaround or a single port that administrators can block without affecting legitimate authentication.
That uncertainty favors patching over speculative mitigation. Domain controllers, remote-access infrastructure, identity servers, and systems reachable from less-trusted network segments should move toward the front of the deployment queue.
Administrators should confirm that each important site has access to more than one healthy domain controller and DNS server. Replication health, time synchronization, SYSVOL state, recent system-state backups, and monitoring for unexpected LSASS termination or server restarts are all relevant checks before and after deployment.
Security teams should also examine whether workstation, guest, VPN, wireless, and server networks can initiate unnecessary authentication traffic toward domain controllers. Segmentation cannot replace the update, but it can limit which compromised devices are positioned to exercise a remotely reachable LSASS flaw.
Patch testing should focus on authentication-dependent workloads rather than simply verifying that Windows restarts successfully. Kerberos logons, NTLM-dependent legacy applications, LDAP and LDAPS connections, certificate-based authentication, Group Policy processing, and trusts between domains or forests are sensible validation targets.
For ordinary Windows 11 PCs managed through Windows Update, Windows Update for Business, or Microsoft Intune, CVE-2026-40378 arrives through the normal cumulative servicing channel. Enterprises using Windows Server Update Services, Configuration Manager, or third-party patch platforms should verify compliance by OS build after rollout rather than relying solely on an update’s approved or downloaded status.
As of July 14, 2026, public records show no observed exploitation, but they also describe an unauthenticated, low-complexity network attack with no required user action. Reaching the July 2026 fixed builds—and confirming that domain controllers and other authentication-critical hosts remain healthy afterward—is the concrete measure of protection.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-40378 carries a CVSS 3.1 base score of 7.5 High. The vulnerability requires no privileges or user interaction, and Microsoft’s scoring assumes low attack complexity and high availability impact.
For administrators, the practical response is straightforward: install the July 2026 cumulative security updates, verify that systems have reached the fixed builds, and give exposed authentication infrastructure priority in deployment testing.
An Availability Bug in Windows’ Security Authority
LSASS is not an ordinary background process. It enforces Windows security policies, authenticates users, handles password changes, creates access tokens, and supports technologies including Active Directory, Kerberos, and NTLM.That makes an LSASS denial of service materially different from the crash of a peripheral application. On a workstation, loss of LSASS can terminate the Windows session or cause the operating system to shut down or restart. On a domain controller, disruption can interfere with logons, ticket issuance, directory-backed authentication, and applications that depend on Active Directory.
Microsoft describes the underlying weakness as a memory allocation operation using an excessive size value. The issue is categorized as CWE-789, Memory Allocation with Excessive Size Value, a class of bug in which attacker-controlled or insufficiently constrained input causes software to request an unreasonable amount of memory.
The published CVSS vector is
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. In operational terms, Microsoft’s assessment says an attacker can reach the vulnerable component across a network, does not need an existing account, and does not need to persuade a user to open a file or visit a site.The score assigns no confidentiality or integrity impact. Microsoft is therefore not describing CVE-2026-40378 as a route to credential theft, code execution, or privilege escalation. Its documented effect is loss of availability, although taking authentication infrastructure offline can still produce a serious business outage.
Windows Clients and Servers Share the Exposure
The affected-product data spans supported and extended-support Windows releases rather than a narrow LSASS configuration. Records submitted by Microsoft identify Windows 10, Windows 11, and multiple Windows Server generations, including Server Core installations.Affected client branches include:
- Windows 10 version 1607 builds earlier than 14393.9339.
- Windows 10 version 1809 builds earlier than 17763.9020.
- Windows 10 version 21H2 builds earlier than 19044.7548.
- Windows 10 version 22H2 builds earlier than 19045.7548.
- Windows 11 version 23H2 builds earlier than 22631.7376.
- Windows 11 version 24H2 builds earlier than 26100.8875.
- Windows 11 version 25H2 builds earlier than 26200.8875.
- Windows 11 version 26H1 builds earlier than 28000.2269.
Administrators should use the Microsoft Security Update Guide and their servicing tools as the authority for the exact package associated with each operating-system release. Build comparisons are particularly useful where inventory products report the OS revision reliably but do not immediately map the installed cumulative update to every CVE it resolves.
The broad product range matters because older Windows Server systems are frequently retained for identity services, line-of-business applications, and isolated operational networks. A server being unavailable from the public internet does not remove the risk when an attacker has already gained access to another host on the corporate network.
Network Reachability Raises the Deployment Priority
Microsoft’s CVSS assessment gives CVE-2026-40378 the Network attack vector and an attack complexity rating of Low. CISA’s initial enrichment, published alongside the July 14 disclosure, classified exploitation as not observed while marking the attack as automatable and its technical impact as partial.That combination warrants attention without turning the vulnerability into a claimed zero-day emergency. At publication, the available records do not establish active exploitation, and Microsoft’s description does not indicate that technical exploit details or a public proof of concept were available.
The report confidence language shown in the advisory explains how confidently a vulnerability and its technical characteristics are known. It is not a probability that an individual organization will be attacked. A confirmed vendor record means defenders and potential attackers have credible information that the flaw exists, but it does not by itself demonstrate exploitation in the wild.
Network attackability also does not automatically mean that every Windows PC can be crashed directly from the internet. Actual exposure depends on network filtering, reachable Windows services, host roles, segmentation, and the protocol path used to deliver the malformed input. Microsoft’s public description is not yet detailed enough to identify a safe firewall workaround or a single port that administrators can block without affecting legitimate authentication.
That uncertainty favors patching over speculative mitigation. Domain controllers, remote-access infrastructure, identity servers, and systems reachable from less-trusted network segments should move toward the front of the deployment queue.
Domain Controllers Need Resilience as Well as Patches
CVE-2026-40378 is an availability vulnerability, so recovery planning matters alongside prevention. A denial-of-service attempt against a single domain controller should not be able to halt authentication across an entire site if Active Directory has been designed and maintained with redundancy.Administrators should confirm that each important site has access to more than one healthy domain controller and DNS server. Replication health, time synchronization, SYSVOL state, recent system-state backups, and monitoring for unexpected LSASS termination or server restarts are all relevant checks before and after deployment.
Security teams should also examine whether workstation, guest, VPN, wireless, and server networks can initiate unnecessary authentication traffic toward domain controllers. Segmentation cannot replace the update, but it can limit which compromised devices are positioned to exercise a remotely reachable LSASS flaw.
Patch testing should focus on authentication-dependent workloads rather than simply verifying that Windows restarts successfully. Kerberos logons, NTLM-dependent legacy applications, LDAP and LDAPS connections, certificate-based authentication, Group Policy processing, and trusts between domains or forests are sensible validation targets.
For ordinary Windows 11 PCs managed through Windows Update, Windows Update for Business, or Microsoft Intune, CVE-2026-40378 arrives through the normal cumulative servicing channel. Enterprises using Windows Server Update Services, Configuration Manager, or third-party patch platforms should verify compliance by OS build after rollout rather than relying solely on an update’s approved or downloaded status.
The Fixed Build Is the Meaningful Finish Line
CVE-2026-40378 does not carry the data-theft implications of an LSASS credential-dumping vulnerability, but its location makes the availability impact consequential. A remotely induced LSASS failure can turn a memory-management error into failed logons, interrupted directory services, application outages, and recovery work across dependent systems.As of July 14, 2026, public records show no observed exploitation, but they also describe an unauthenticated, low-complexity network attack with no required user action. Reaching the July 2026 fixed builds—and confirming that domain controllers and other authentication-critical hosts remain healthy afterward—is the concrete measure of protection.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com