CVE-2026-40378
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-40378, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Memory allocation with excessive size value in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft windows_local_security_authority_subsystem_service *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40378 is a vulnerability in the Windows Local Security Authority Subsystem Service (LSASS). It involves improper memory allocation where an excessive size value is used. This flaw allows an unauthorized attacker to send a crafted request over a network, causing the LSASS service to allocate an overly large amount of memory, leading to a denial of service (DoS) condition.

The vulnerability does not require any privileges or user interaction to exploit, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The attack can be executed remotely, making it a significant risk for systems running the affected service.

Impact Analysis

This vulnerability can impact you in the following ways:

  • Denial of Service (DoS): An attacker can exploit this flaw to crash the LSASS service, which is critical for authentication and security policies on Windows systems. This can lead to system instability or unavailability, disrupting operations.
  • Network-based attack: Since the vulnerability can be exploited over a network, systems exposed to untrusted networks (e.g., the internet) are at higher risk. An attacker does not need physical access or local credentials to trigger the exploit.
  • Potential for broader disruption: If the LSASS service crashes, it may cause other dependent services to fail, leading to cascading effects on system functionality, including login failures or loss of access to network resources.
Compliance Impact

This vulnerability may affect compliance with common standards and regulations in the following ways:

  • GDPR: Under the General Data Protection Regulation (GDPR), organizations must ensure the availability and resilience of processing systems and services. A denial of service vulnerability that disrupts system availability could lead to non-compliance, especially if it affects the processing of personal data. Organizations may need to demonstrate that they have mitigated such risks to avoid potential penalties.
  • HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). A DoS vulnerability that disrupts access to systems handling ePHI could violate HIPAA's Security Rule, which mandates safeguards against such threats.
  • Other standards: Compliance frameworks like ISO 27001, NIST SP 800-53, or PCI DSS emphasize the importance of system availability and protection against DoS attacks. Failure to address this vulnerability could result in non-compliance with these standards, potentially leading to audit failures or loss of certification.

Organizations should assess the risk posed by this vulnerability and apply patches or mitigations promptly to maintain compliance with applicable regulations.

Detection Guidance

The provided context does not include specific detection methods or commands for identifying this vulnerability on a network or system. Detection typically involves monitoring for unusual memory allocation patterns or abnormal LSASS service behavior, but no explicit tools or commands are mentioned.

To detect potential exploitation attempts, you may consider using network monitoring tools to observe unusual traffic targeting the LSASS service or system logs for signs of service disruption. However, the exact detection methodology is not detailed in the available resources.

Mitigation Strategies

The provided context does not specify immediate mitigation steps for this vulnerability. However, based on the nature of the issue (a denial-of-service vulnerability in LSASS), general best practices include:

  • Apply the official security update or patch provided by Microsoft as soon as it is available. Refer to the Microsoft Security Response Center (MSRC) for the latest updates.
  • Restrict network access to systems running the LSASS service to trusted sources only, if feasible.
  • Monitor systems for unusual memory allocation patterns or service crashes that may indicate exploitation attempts.
  • Review and apply any workarounds or mitigations recommended by Microsoft in their advisory for CVE-2026-40378.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart