On July 14, 2026, Microsoft released its monthly security updates, and among the fixes is a patch for a vulnerability that should make every IT administrator sit up and take notice. CVE-2026-40378 is a denial-of-service flaw in the Windows Local Security Authority Subsystem Service (LSASS) that can be triggered remotely, without authentication, potentially crashing domain controllers and disrupting authentication across an entire organisation.
What Is CVE-2026-40378 and How Does It Work?
LSASS is not just another Windows process; it's the gatekeeper for authentication. It enforces security policies, handles password changes, creates access tokens, and supports Active Directory, Kerberos, and NTLM. An unauthenticated attacker can exploit CVE-2026-40378 by sending a specially crafted request over the network, causing LSASS to allocate an excessive amount of memory—what Microsoft describes as CWE-789, Memory Allocation with Excessive Size Value. The service then crashes or becomes unresponsive, triggering system shutdowns or restarts.
Microsoft rates this vulnerability with a CVSS 3.1 score of 7.5 (High). The vector, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, confirms the grim simplicity: it's network-exploitable, requires no privileges or user interaction, and has low attack complexity. The impact is solely on availability—there's no breach of confidentiality or integrity. But for domain controllers, that's more than enough to cause a major outage.
Who Is Affected? The Long List of Windows Versions
This isn't an edge-case bug. CVE-2026-40378 affects a broad sweep of Windows releases, both client and server. Microsoft's advisory lists the following affected builds:
- Windows 10 version 1607 builds earlier than 14393.9339
- Windows 10 version 1809 builds earlier than 17763.9020
- Windows 10 version 21H2 builds earlier than 19044.7548
- Windows 10 version 22H2 builds earlier than 19045.7548
- Windows 11 version 23H2 builds earlier than 22631.7376
- Windows 11 version 24H2 builds earlier than 26100.8875
- Windows 11 version 25H2 builds earlier than 26200.8875
- Windows 11 version 26H1 builds earlier than 28000.2269
On the server side, the vulnerability hits Windows Server 2012, 2016, 2019, 2022, and 2025, including Server Core installations. That's a lot of ground to cover, especially in environments where legacy servers still run critical identity and line-of-business workloads.
Why This Patch Matters More Than a Typical DoS
A denial-of-service bug that crashes LSASS is not like a browser tab freezing. On a domain controller, it can halt user logons, interrupt Kerberos ticket issuance, break LDAP queries, and disrupt any service that relies on Active Directory. Even if an attack only succeeds against a single DC, the ripple effects can cascade through trust relationships, Group Policy processing, and replicated directories. The fix, therefore, is not just about stability—it's about ensuring the authentication backbone of your network stays upright.
How We Got Here: The Patch Tuesday Cycle and LSASS's History
CVE-2026-40378 arrived in the routine July 2026 Patch Tuesday batch. LSASS has long been a prized target, but historically attackers have focused on credential dumping (think Mimikatz) or privilege escalation. This bug is different: it's a pure availability play, requiring no foothold on the target. The memory allocation flaw is reminiscent of other dangerous bug classes, such as the \"heartbleed\" over-read in OpenSSL, though here it's about writing too much memory rather than reading it. As of disclosure, Microsoft and CISA confirmed no active exploitation or public proof-of-concept, but the automatable nature of the attack—as noted in CISA's enrichment—raises the urgency. It's a vulnerability that attackers can weaponise quickly once details leak.
What You Should Do Right Now
For most Windows users, the remedy is simple: install the July 2026 cumulative update through Windows Update and verify your build number matches the fixed version for your OS. For IT administrators, however, the patch must be deployed with additional care.
Prioritise domain controllers and authentication servers. These systems are the prime targets. Deploy the update in a test environment first, and rigorously validate authentication-dependent workloads: Kerberos logons, NTLM-dependent applications, LDAP(S) connections, certificate-based authentication, and cross-forest/domain trusts. Don't just test that Windows restarts; verify that authentication actually works.
Check Active Directory health. Confirm that every important site has at least two functional domain controllers and DNS servers. Monitor replication, time synchronisation, and SYSVOL state before and after patching. Keep reliable system-state backups handy—a DoS attack might not steal data, but it could corrupt replication if it hits during a critical operation.
Verify compliance by build number. If you use WSUS, Configuration Manager, Intune, or a third-party patch tool, run reports that compare OS builds against Microsoft's fixed builds (e.g., 10.0.22631.7376 for Windows 11 23H2). A missing update might not signal failure if it's approved but not installed; your endpoint's build tells the real story.
Home and small business users can simply let Windows Update do its job. There's no extra configuration needed—just restart when prompted.
The Bigger Picture: Network Segmentation and Defense-in-Depth
Patching is the priority, but network design can limit the blast radius. Segment networks so that guest, VPN, wireless, and less-trusted devices cannot initiate arbitrary authentication traffic toward domain controllers. Blocking all but necessary ports on DCs—such as 88 (Kerberos), 389/636 (LDAP/LDAPS), and 135/445 (RPC/SMB), appropriately scoped—forces attackers to find a bridgehead. The vulnerability is network-exploitable, but Microsoft hasn't detailed which specific service or protocol vector is needed. So, you can't yet deploy a surgical firewall rule. That makes the patch a must, but segmentation remains a valuable secondary barrier.
Outlook: Keep an Eye on Exploit Activity
No public exploits exist today, but the clock is ticking. Security researchers often reverse-engineer patches, and a proof-of-concept could appear within days or weeks. CVE-2026-40378's attributes—remote, unauthenticated, low complexity—make it appealing for automated attacks. Watch for alerts from Microsoft's Security Response Center and CISA's Known Exploited Vulnerabilities catalog. If exploitation begins, you'll want to already be patched. The time to act is now.