An incorrect calculation of buffer size in the Windows TCP/IP stack enables an attacker with authorized access to send crafted packets over an adjacent network, causing the target system to experience a service interruption. The flaw is a classic buffer size miscalculation (CWE‑131) that leads to resource exhaustion or a crash of the networking components, disrupting connectivity for legitimate users.

Microsoft Windows 10 21H2 and 22H2, Windows 11 23H2, 24H2, 25H2, 26H1, Windows Server 2022, and Windows Server 2025 (including Server Core installations).

The CVSS score of 5.7 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited to date exploitation activity. The likely attack vector is a local authorized user delivering malicious traffic on a nearby network segment; the vulnerability does not appear to allow remote exploitation from the internet without local privileges. Based on the description, the exploit path requires the attacker to have valid credentials or local access to the compromised device, after which crafted packets can trigger the DoS condition.