Microsoft disclosed CVE-2026-40408 on May 12, 2026, as an Important-rated Windows WAN ARP Driver elevation-of-privilege vulnerability that affects supported Windows client and server releases and allows a locally authenticated attacker to gain SYSTEM privileges after exploiting a use-after-free flaw. The short version is that this is not a remote worm, not a public zero-day, and not a vulnerability Microsoft says is already being exploited. The longer version is more uncomfortable: it lives in kernel-mode driver territory, carries a 7.8 CVSS base score, and turns ordinary local access into the kind of control defenders spend their careers trying to contain.
That combination is why CVE-2026-40408 deserves more attention than its “Important” label might suggest. Microsoft’s own scoring says exploitation is less likely, but it also says report confidence is confirmed, attack complexity is low, user interaction is not required, and a successful attacker could obtain SYSTEM privileges. In the Windows security calendar, those details matter more than the headline severity word.
An elevation-of-privilege vulnerability is rarely the first door an attacker opens. It is the staircase they use after getting inside. Phishing, stolen credentials, exposed management tooling, malicious documents, abused remote access software, and browser escapes all become more dangerous when a local foothold can be converted into SYSTEM.
That is the practical significance of Microsoft’s FAQ entry: a successful exploit could grant SYSTEM privileges. In Windows terms, SYSTEM is not merely “administrator but louder.” It is the local security context used by the operating system and core services, and it can be enough to disable defenses, extract secrets, tamper with logs, persist across reboots, and move laterally depending on the surrounding environment.
The affected component named by Microsoft is the Windows WAN ARP Driver. The advisory’s executive summary describes the underlying bug class as a use-after-free in Windows kernel-mode drivers. That is a compact sentence, but it carries a long tail: memory lifetime bugs in kernel code are precisely the sort of flaws that can bridge the gap between a constrained user process and privileged execution.
Microsoft rates the maximum severity as Important rather than Critical because the attack vector is local and the attacker needs low privileges first. That is defensible under Microsoft’s severity model. It is also why defenders should read beyond the severity label.
The most comforting field is the one that says exploitation is local. It means this is not a vulnerability that can be fired across the internet at a listening service in the usual sense. An attacker needs some foothold on the target machine before CVE-2026-40408 becomes useful.
But that local requirement should not be overread. Modern intrusions are full of local footholds. A compromised standard user account, a malicious payload running under a user context, or a post-exploitation implant with limited rights is exactly the position from which local privilege escalation bugs are valuable.
The “no user interaction” metric is also important. Microsoft is not describing a flaw that requires tricking another user into clicking through a prompt or opening a specially crafted file once the attacker is already positioned. The advisory’s scoring says exploitation can proceed at the attacker’s will, assuming the prerequisite low-privilege access exists.
The “low attack complexity” metric adds another uncomfortable note. It does not mean an exploit is already circulating, and it does not mean exploitation is trivial for every attacker. It does mean Microsoft did not score the vulnerability as dependent on fragile race conditions, uncommon configurations, or unusual environmental prerequisites beyond the attacker’s control.
Report confidence is not a measure of exploit availability. It is a measure of confidence in the existence of the vulnerability and the credibility of the technical details. In this case, Microsoft’s “confirmed” rating means the issue is no longer merely suspected; the vendor has accepted that the vulnerable condition exists.
That distinction changes how administrators should think about urgency. A vulnerability with sketchy details and no vendor confirmation may call for monitoring and caution. A confirmed local privilege escalation flaw in a Windows kernel-mode driver calls for patch deployment planning, compatibility testing, and exposure reduction.
The interesting tension is that Microsoft also lists exploit code maturity as unproven. That is the difference between “we know the bug exists” and “we know attackers are already using it.” For defenders, those two statements produce different clocks. The first starts the patch clock; the second starts the incident-response clock.
CVE-2026-40408 is therefore not a panic item by Microsoft’s own published assessment. It is something more mundane and more common in enterprise security: a credible, patched, high-impact local bug that should be closed before it becomes a convenient link in an attack chain.
Windows has accumulated decades of compatibility, drivers, legacy interfaces, and specialized networking code. That is not an indictment; it is the price of being a general-purpose operating system used everywhere from consumer laptops to industrial systems to cloud-hosted servers. But it means memory safety defects in kernel-facing components remain a recurring source of elevation-of-privilege vulnerabilities.
The WAN ARP label will sound obscure to many users, and that obscurity is part of the story. The most consequential Windows vulnerabilities are not always in the glamorous surface areas. They often live in subsystems most people never configure directly but that ship as part of the platform, wait for a specific code path, and become relevant when an attacker already has a foothold.
That is also why “I do not use that feature” is a dangerous default assumption. If a vulnerable driver or component is present, loadable, reachable through an unexpected path, or exposed through normal OS behavior, its risk is not always determined by whether an end user recognizes the name. Administrators need asset and patch data, not vibes.
Microsoft’s advisory does not publish exploit steps, and it should not. The practical takeaway is that the root cause sits in a class of bug attackers understand well, in a privilege boundary defenders care about deeply, and in an operating-system layer where successful exploitation can have broad local consequences.
That breadth is not unusual for a kernel-mode driver flaw, but it is operationally significant. This is not a vulnerability limited to one niche SKU or one abandoned branch. It touches the sort of mixed Windows estates many organizations actually run: current client builds, older long-lived endpoints, core servers, and machines maintained under extended servicing arrangements.
For Windows 10, the advisory includes build numbers in the 19044 and 19045 branches. For Windows 11, it includes the 22631, 26100, 26200, and 28000 branches. For server platforms, it includes builds tied to Windows Server 2012, 2012 R2, 2016, 2019, 2022, Server 2022 23H2, and Server 2025.
That is where the vulnerability becomes less of a single CVE and more of a patch-management exercise. A home user with automatic updates enabled may simply reboot and move on. A sysadmin responsible for line-of-business apps, Remote Desktop hosts, VDI pools, domain-joined laptops, and Server Core workloads has to map the advisory to real machines.
The most important phrase in the update table is not the KB number; it is “Customer Action Required.” Microsoft is telling customers that remediation is not theoretical and not entirely automatic in every environment. Someone has to make sure the relevant cumulative update, security update, monthly rollup, or hotpatch path actually lands.
But hotpatching should not be mistaken for a magical shield. It still depends on eligibility, servicing state, deployment tooling, policy, and verification. An organization that has not built a disciplined process around update compliance can still miss a hotpatch just as surely as it can miss a cumulative update.
The presence of both security updates and security hotpatch updates in the table also reflects the transitional state of Windows servicing. Microsoft is clearly trying to make patch application less disruptive, particularly for servers. At the same time, administrators must understand which machines are on which servicing channel and which update mechanism applies.
For CVE-2026-40408, the practical workflow remains familiar. Identify affected operating-system versions, deploy the relevant update path, validate successful installation, monitor for regressions, and confirm build numbers. The format of the package may change; the discipline does not.
This is especially true for local privilege escalation vulnerabilities because delayed patching can create long windows of opportunity. Attackers do not need to exploit every machine immediately. They need one unpatched host at the right stage of an intrusion.
Exploitability ratings can age poorly. A vulnerability with no known exploit on disclosure day can become a commodity technique weeks later if researchers reverse-engineer the patch, publish analysis, or fold the bug into a broader exploit chain. The history of Windows local privilege escalation is full of bugs that moved from advisory text to proof-of-concept code to attacker tooling.
That does not mean every EoP vulnerability becomes weaponized. Many do not. But defenders cannot build policy around the hope that this one will remain obscure, especially when the advisory says the bug is confirmed, low complexity, no interaction, and capable of SYSTEM elevation.
The better reading is this: CVE-2026-40408 is unlikely to be the first item attackers reach for today, but it is exactly the sort of issue they may reach for later if patch coverage lags. For environments with strong update hygiene, the risk can be collapsed quickly. For environments that defer Windows servicing for weeks or months, the risk accumulates quietly.
This is where Microsoft’s temporal score is useful. The official fix reduces urgency compared with an unpatched, exploited zero-day. It does not reduce impact on machines that remain unpatched.
On a well-managed endpoint, standard users should have limited authority, credential exposure should be constrained, endpoint detection should have tamper protections, and lateral movement should face segmentation and identity controls. A SYSTEM-level exploit can weaken or bypass parts of that model. It may allow malware to install drivers, disable services, access protected files, dump credentials, or hide from user-mode monitoring.
On a poorly managed endpoint, the situation is worse. Local admin sprawl, stale agents, missing tamper protection, cached privileged credentials, and weak logging turn an EoP bug into a force multiplier. The exploit does not have to be elegant if the environment around it is brittle.
Servers add a different dimension. A Windows Server system often has richer local secrets, more valuable service identities, and more trust relationships than a client endpoint. Server Core systems reduce some exposure, but they are not immune to kernel-mode vulnerabilities in components that are present and serviced by the platform.
For administrators, this means CVE-2026-40408 belongs in the same triage conversation as credential hygiene and endpoint hardening. Patching is the fix for the vulnerability. Reducing the blast radius is the fix for the inevitable delay between disclosure and complete remediation.
The local nature of the vulnerability means a home PC is not suddenly exposed to drive-by remote exploitation simply because it is online. The attacker needs a way to run code or operate with low privileges on the machine first. That lowers the immediate panic level.
But home users also face malware, pirated software, fake installers, malicious browser payloads, and credential theft. Once something untrusted is running locally, a privilege escalation bug can help it dig deeper. That is why routine patching remains one of the few security habits that scales from enterprise SOCs to kitchen-table laptops.
Windows 10 users should also pay attention to support status. Microsoft’s advisory includes supported Windows 10 branches, but the broader Windows 10 lifecycle is narrowing. Running an unsupported Windows version turns every future advisory into a harder problem, because the update path becomes conditional, paid, or unavailable.
The right consumer interpretation is therefore calm urgency. This is not a reason to wipe a machine. It is a reason not to postpone the update prompt for another week.
CVE-2026-40408 fits that quieter pattern. It is not publicly disclosed, according to Microsoft. It is not known to be exploited, according to Microsoft. It has no proven public exploit in the advisory. Yet it offers a path to SYSTEM from low privileges, and that is enough to matter.
This is why mature patch management does not wait for drama. If a vulnerability affects a broad Windows estate, has high impact metrics, and has an official fix, the rational response is to deploy on a schedule measured in days, not months. The absence of active exploitation should shape sequencing, not excuse deferral.
There is also a subtle lesson in the acknowledgment. Microsoft credits a researcher listed as “hazard,” indicating coordinated vulnerability disclosure rather than public surprise. That is the system working as intended: report, validate, patch, publish. But coordinated disclosure only protects customers if customers complete the cycle.
The downstream risk is not that Microsoft buried the issue. The advisory contains the key facts. The risk is that organizations bury it themselves under the weight of too many “Important” patches competing for attention.
For teams triaging the May 2026 update cycle, this vulnerability deserves priority behind actively exploited zero-days and internet-facing remote code execution flaws, but ahead of low-impact issues that require unusual conditions or heavy user interaction. It is the kind of EoP bug that can make an otherwise contained compromise much worse.
Source: MSRC Security Update Guide - Microsoft Security Response Center
That combination is why CVE-2026-40408 deserves more attention than its “Important” label might suggest. Microsoft’s own scoring says exploitation is less likely, but it also says report confidence is confirmed, attack complexity is low, user interaction is not required, and a successful attacker could obtain SYSTEM privileges. In the Windows security calendar, those details matter more than the headline severity word.
Microsoft’s Quiet Driver Bug Has Loud Privilege Implications
There is a familiar rhythm to Patch Tuesday. Remote code execution flaws get the oxygen, zero-days get the sirens, and elevation-of-privilege bugs are too often filed under housekeeping. CVE-2026-40408 is a reminder that this hierarchy can be misleading.An elevation-of-privilege vulnerability is rarely the first door an attacker opens. It is the staircase they use after getting inside. Phishing, stolen credentials, exposed management tooling, malicious documents, abused remote access software, and browser escapes all become more dangerous when a local foothold can be converted into SYSTEM.
That is the practical significance of Microsoft’s FAQ entry: a successful exploit could grant SYSTEM privileges. In Windows terms, SYSTEM is not merely “administrator but louder.” It is the local security context used by the operating system and core services, and it can be enough to disable defenses, extract secrets, tamper with logs, persist across reboots, and move laterally depending on the surrounding environment.
The affected component named by Microsoft is the Windows WAN ARP Driver. The advisory’s executive summary describes the underlying bug class as a use-after-free in Windows kernel-mode drivers. That is a compact sentence, but it carries a long tail: memory lifetime bugs in kernel code are precisely the sort of flaws that can bridge the gap between a constrained user process and privileged execution.
Microsoft rates the maximum severity as Important rather than Critical because the attack vector is local and the attacker needs low privileges first. That is defensible under Microsoft’s severity model. It is also why defenders should read beyond the severity label.
The CVSS Vector Says “Local,” Not “Harmless”
The CVSS vector for CVE-2026-40408 is blunt: local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact across confidentiality, integrity, and availability. The resulting base score is 7.8, with a temporal score of 6.8 after accounting for Microsoft’s assessment that exploit code is unproven and an official fix exists.The most comforting field is the one that says exploitation is local. It means this is not a vulnerability that can be fired across the internet at a listening service in the usual sense. An attacker needs some foothold on the target machine before CVE-2026-40408 becomes useful.
But that local requirement should not be overread. Modern intrusions are full of local footholds. A compromised standard user account, a malicious payload running under a user context, or a post-exploitation implant with limited rights is exactly the position from which local privilege escalation bugs are valuable.
The “no user interaction” metric is also important. Microsoft is not describing a flaw that requires tricking another user into clicking through a prompt or opening a specially crafted file once the attacker is already positioned. The advisory’s scoring says exploitation can proceed at the attacker’s will, assuming the prerequisite low-privilege access exists.
The “low attack complexity” metric adds another uncomfortable note. It does not mean an exploit is already circulating, and it does not mean exploitation is trivial for every attacker. It does mean Microsoft did not score the vulnerability as dependent on fragile race conditions, uncommon configurations, or unusual environmental prerequisites beyond the attacker’s control.
Report Confidence Is the Signal Hiding in Plain Sight
The user-provided metric definition points to one of the advisory’s most important but least discussed fields: report confidence. Microsoft marks CVE-2026-40408 as confirmed. That matters because it separates a vendor-acknowledged vulnerability from a rumor, a theoretical class of weakness, or a partially understood crash.Report confidence is not a measure of exploit availability. It is a measure of confidence in the existence of the vulnerability and the credibility of the technical details. In this case, Microsoft’s “confirmed” rating means the issue is no longer merely suspected; the vendor has accepted that the vulnerable condition exists.
That distinction changes how administrators should think about urgency. A vulnerability with sketchy details and no vendor confirmation may call for monitoring and caution. A confirmed local privilege escalation flaw in a Windows kernel-mode driver calls for patch deployment planning, compatibility testing, and exposure reduction.
The interesting tension is that Microsoft also lists exploit code maturity as unproven. That is the difference between “we know the bug exists” and “we know attackers are already using it.” For defenders, those two statements produce different clocks. The first starts the patch clock; the second starts the incident-response clock.
CVE-2026-40408 is therefore not a panic item by Microsoft’s own published assessment. It is something more mundane and more common in enterprise security: a credible, patched, high-impact local bug that should be closed before it becomes a convenient link in an attack chain.
Use-After-Free Bugs Keep Returning Because Windows Still Runs on Old Assumptions
The weakness behind CVE-2026-40408 is CWE-416, use after free. In plain English, software frees a chunk of memory and later continues to use it as if it were still valid. In user-mode applications, that can cause crashes or code execution inside an app’s sandbox; in kernel-mode code, the consequences can be more severe because the vulnerable component is operating with far greater authority.Windows has accumulated decades of compatibility, drivers, legacy interfaces, and specialized networking code. That is not an indictment; it is the price of being a general-purpose operating system used everywhere from consumer laptops to industrial systems to cloud-hosted servers. But it means memory safety defects in kernel-facing components remain a recurring source of elevation-of-privilege vulnerabilities.
The WAN ARP label will sound obscure to many users, and that obscurity is part of the story. The most consequential Windows vulnerabilities are not always in the glamorous surface areas. They often live in subsystems most people never configure directly but that ship as part of the platform, wait for a specific code path, and become relevant when an attacker already has a foothold.
That is also why “I do not use that feature” is a dangerous default assumption. If a vulnerable driver or component is present, loadable, reachable through an unexpected path, or exposed through normal OS behavior, its risk is not always determined by whether an end user recognizes the name. Administrators need asset and patch data, not vibes.
Microsoft’s advisory does not publish exploit steps, and it should not. The practical takeaway is that the root cause sits in a class of bug attackers understand well, in a privilege boundary defenders care about deeply, and in an operating-system layer where successful exploitation can have broad local consequences.
The Affected List Spans the Windows Estate, Not Just the Edge Cases
The security update table for CVE-2026-40408 is broad. Microsoft lists updates for Windows 10, Windows 11, and multiple supported Windows Server generations, including Server Core variants. The fixed builds include Windows 10 21H2 and 22H2 lines, Windows 11 23H2, 24H2, 25H2, and 26H1 lines, and server releases from Windows Server 2012 through Windows Server 2025.That breadth is not unusual for a kernel-mode driver flaw, but it is operationally significant. This is not a vulnerability limited to one niche SKU or one abandoned branch. It touches the sort of mixed Windows estates many organizations actually run: current client builds, older long-lived endpoints, core servers, and machines maintained under extended servicing arrangements.
For Windows 10, the advisory includes build numbers in the 19044 and 19045 branches. For Windows 11, it includes the 22631, 26100, 26200, and 28000 branches. For server platforms, it includes builds tied to Windows Server 2012, 2012 R2, 2016, 2019, 2022, Server 2022 23H2, and Server 2025.
That is where the vulnerability becomes less of a single CVE and more of a patch-management exercise. A home user with automatic updates enabled may simply reboot and move on. A sysadmin responsible for line-of-business apps, Remote Desktop hosts, VDI pools, domain-joined laptops, and Server Core workloads has to map the advisory to real machines.
The most important phrase in the update table is not the KB number; it is “Customer Action Required.” Microsoft is telling customers that remediation is not theoretical and not entirely automatic in every environment. Someone has to make sure the relevant cumulative update, security update, monthly rollup, or hotpatch path actually lands.
Hotpatching Helps, but It Does Not Remove Accountability
The advisory includes hotpatch update entries for some modern Windows Server and Windows 11 lines. That is a useful development in Microsoft’s servicing model, especially for systems where reboot coordination is the enemy of timely patching. Hotpatching can reduce operational friction, and reduced friction often means faster security uptake.But hotpatching should not be mistaken for a magical shield. It still depends on eligibility, servicing state, deployment tooling, policy, and verification. An organization that has not built a disciplined process around update compliance can still miss a hotpatch just as surely as it can miss a cumulative update.
The presence of both security updates and security hotpatch updates in the table also reflects the transitional state of Windows servicing. Microsoft is clearly trying to make patch application less disruptive, particularly for servers. At the same time, administrators must understand which machines are on which servicing channel and which update mechanism applies.
For CVE-2026-40408, the practical workflow remains familiar. Identify affected operating-system versions, deploy the relevant update path, validate successful installation, monitor for regressions, and confirm build numbers. The format of the package may change; the discipline does not.
This is especially true for local privilege escalation vulnerabilities because delayed patching can create long windows of opportunity. Attackers do not need to exploit every machine immediately. They need one unpatched host at the right stage of an intrusion.
“Exploitation Less Likely” Is a Forecast, Not a Waiver
Microsoft’s exploitability assessment says exploitation is less likely. That is good news, but it is not the same as “do not care.” It is a probability judgment made at original publication, not a permanent property of the bug.Exploitability ratings can age poorly. A vulnerability with no known exploit on disclosure day can become a commodity technique weeks later if researchers reverse-engineer the patch, publish analysis, or fold the bug into a broader exploit chain. The history of Windows local privilege escalation is full of bugs that moved from advisory text to proof-of-concept code to attacker tooling.
That does not mean every EoP vulnerability becomes weaponized. Many do not. But defenders cannot build policy around the hope that this one will remain obscure, especially when the advisory says the bug is confirmed, low complexity, no interaction, and capable of SYSTEM elevation.
The better reading is this: CVE-2026-40408 is unlikely to be the first item attackers reach for today, but it is exactly the sort of issue they may reach for later if patch coverage lags. For environments with strong update hygiene, the risk can be collapsed quickly. For environments that defer Windows servicing for weeks or months, the risk accumulates quietly.
This is where Microsoft’s temporal score is useful. The official fix reduces urgency compared with an unpatched, exploited zero-day. It does not reduce impact on machines that remain unpatched.
The Enterprise Risk Is in the Attack Chain
Local privilege escalation bugs become most dangerous when paired with initial-access techniques. That is why security teams should not evaluate CVE-2026-40408 in isolation. The relevant question is not “Can someone on the internet exploit this unauthenticated?” but “What happens after someone lands a low-privilege foothold on one of our Windows machines?”On a well-managed endpoint, standard users should have limited authority, credential exposure should be constrained, endpoint detection should have tamper protections, and lateral movement should face segmentation and identity controls. A SYSTEM-level exploit can weaken or bypass parts of that model. It may allow malware to install drivers, disable services, access protected files, dump credentials, or hide from user-mode monitoring.
On a poorly managed endpoint, the situation is worse. Local admin sprawl, stale agents, missing tamper protection, cached privileged credentials, and weak logging turn an EoP bug into a force multiplier. The exploit does not have to be elegant if the environment around it is brittle.
Servers add a different dimension. A Windows Server system often has richer local secrets, more valuable service identities, and more trust relationships than a client endpoint. Server Core systems reduce some exposure, but they are not immune to kernel-mode vulnerabilities in components that are present and serviced by the platform.
For administrators, this means CVE-2026-40408 belongs in the same triage conversation as credential hygiene and endpoint hardening. Patching is the fix for the vulnerability. Reducing the blast radius is the fix for the inevitable delay between disclosure and complete remediation.
Home Users Should Patch, but Panic Is Unnecessary
For ordinary Windows users, the advice is simpler: install the May 2026 security updates and reboot when required. If Windows Update is enabled and functioning, this vulnerability should be handled through the normal cumulative-update flow for supported systems. Users should resist the temptation to hunt for standalone driver fixes from unofficial sources.The local nature of the vulnerability means a home PC is not suddenly exposed to drive-by remote exploitation simply because it is online. The attacker needs a way to run code or operate with low privileges on the machine first. That lowers the immediate panic level.
But home users also face malware, pirated software, fake installers, malicious browser payloads, and credential theft. Once something untrusted is running locally, a privilege escalation bug can help it dig deeper. That is why routine patching remains one of the few security habits that scales from enterprise SOCs to kitchen-table laptops.
Windows 10 users should also pay attention to support status. Microsoft’s advisory includes supported Windows 10 branches, but the broader Windows 10 lifecycle is narrowing. Running an unsupported Windows version turns every future advisory into a harder problem, because the update path becomes conditional, paid, or unavailable.
The right consumer interpretation is therefore calm urgency. This is not a reason to wipe a machine. It is a reason not to postpone the update prompt for another week.
Patch Tuesday’s Boring Bugs Are Where Real Intrusions Often Mature
The security industry has a storytelling problem. We are drawn to spectacular remote exploits, branded vulnerabilities, animated logos, and emergency out-of-band updates. Meanwhile, many real intrusions progress through quieter mechanics: stolen credentials, living-off-the-land tools, weak segmentation, and local privilege escalation bugs that never get a logo.CVE-2026-40408 fits that quieter pattern. It is not publicly disclosed, according to Microsoft. It is not known to be exploited, according to Microsoft. It has no proven public exploit in the advisory. Yet it offers a path to SYSTEM from low privileges, and that is enough to matter.
This is why mature patch management does not wait for drama. If a vulnerability affects a broad Windows estate, has high impact metrics, and has an official fix, the rational response is to deploy on a schedule measured in days, not months. The absence of active exploitation should shape sequencing, not excuse deferral.
There is also a subtle lesson in the acknowledgment. Microsoft credits a researcher listed as “hazard,” indicating coordinated vulnerability disclosure rather than public surprise. That is the system working as intended: report, validate, patch, publish. But coordinated disclosure only protects customers if customers complete the cycle.
The downstream risk is not that Microsoft buried the issue. The advisory contains the key facts. The risk is that organizations bury it themselves under the weight of too many “Important” patches competing for attention.
The WAN ARP Advisory Draws a Clear Triage Line
The concrete action plan for CVE-2026-40408 is not complicated, which is precisely why it should not be neglected. Microsoft has published fixes, the vulnerability is confirmed, and affected products span a wide range of Windows client and server builds. The harder work is not deciding whether to patch; it is proving that patching happened everywhere it needed to happen.For teams triaging the May 2026 update cycle, this vulnerability deserves priority behind actively exploited zero-days and internet-facing remote code execution flaws, but ahead of low-impact issues that require unusual conditions or heavy user interaction. It is the kind of EoP bug that can make an otherwise contained compromise much worse.
- Microsoft released CVE-2026-40408 on May 12, 2026, and rated it Important with a CVSS 3.1 base score of 7.8.
- The flaw is a use-after-free issue in Windows kernel-mode drivers associated with the Windows WAN ARP Driver.
- Exploitation requires local low-privilege access, but Microsoft’s scoring says attack complexity is low and no user interaction is required.
- Microsoft says the vulnerability was not publicly disclosed and was not known to be exploited at original publication.
- A successful attacker could gain SYSTEM privileges, which makes the bug valuable in post-compromise attack chains.
- Administrators should verify installation of the relevant May 2026 security update, monthly rollup, cumulative update, or hotpatch and confirm fixed build numbers where possible.
Source: MSRC Security Update Guide - Microsoft Security Response Center
