A use‑after‑free flaw exists in the Windows TCP/IP stack that can be triggered by an unauthenticated network attacker to read memory of the affected system. This bug maps to CWE‑416, indicating a memory control error where a deallocated pointer is still referenced, which may lead to disclosure of sensitive data that the operating system should protect. The direct consequence is that confidential information can leak through the network without requiring any credentials or privileged access.

The vulnerability affects multiple Microsoft Windows releases. It is present in Windows 10 versions 1607, 1809, 21H2, and 22 H2; Windows 11 versions 23 H2, 24 H2, 25 H2, 22 H3, and 26 H1; and all Windows Server editions from Server 2012 and Server 2012 R2 through Server 2025, including their core installations. Devices running any of these operating systems rely on the same TCP/IP stack components that have been rectified by Microsoft’s recent cumulative security update.

With a CVSS score of 7.5 the flaw carries medium‑to‑high risk once exploited, and the absence of an EPSS value suggests the current probability of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, indicating no known wild attacks yet. Attackers would need network access to send specially crafted packets to the vulnerable stack, and because the flaw is accessible without authentication, it could expose sensitive data to any host that can reach the affected device on the network.