MEDIUM 5.5

CVE-2026-44805: Windows Network Controller Host Agent Use-After-Free DoS Vulnerability

A use-after-free vulnerability exists in Windows Network Controller Host Agent that allows a logged-in user to crash or hang the affected service, disrupting network configuration and management capabilities. The attacker must already have local user privileges on the system to exploit this flaw. While this is not currently known to be exploited in the wild, it represents a local denial-of-service risk that can render critical network infrastructure management unavailable.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-416, CWE-822
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows Network Controller (NC) Host Agent allows an authorized attacker to deny service locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44805 is a use-after-free memory corruption vulnerability (CWE-416, CWE-822) in the Windows Network Controller Host Agent service. The flaw occurs when the NC Host Agent fails to properly manage memory references, allowing an authenticated local attacker to trigger a reference to freed memory. This results in service crash or instability, effectively denying availability of network controller functionality. The vulnerability requires local code execution capability and user-level privileges to trigger.

Business impact

This vulnerability primarily affects availability of Network Controller management infrastructure. For organizations relying on NC Host Agent for Software Defined Networking (SDN) operations—particularly in Hyper-V and cloud environments—exploitation can disrupt network provisioning, configuration updates, and virtual network management. The impact scales with dependency on NC; smaller deployments may see limited business disruption, while large-scale SDN infrastructures could experience significant operational downtime. No data theft or privilege escalation is possible through this flaw.

Affected systems

Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected. The vulnerability is specific to systems running the Network Controller Host Agent service. Server installations without NC Host Agent deployed are not vulnerable. Verify your Server SKU configuration and whether NC components are active in your environment; this flaw does not affect client Windows operating systems or Server editions not explicitly listed.

Exploitability

Exploitability is limited by high privilege barriers. An attacker must have interactive local access and valid user credentials (non-administrative) to trigger the vulnerability. Remote exploitation is not possible. There is no known public exploit or active exploitation in the wild. The CVSS 3.1 score of 5.5 (Medium) reflects these constraints: low attack surface, local vector only, and high privilege requirement. The impact is denial of service only—no confidentiality or integrity breach occurs.

Remediation

Apply the relevant Windows Server security updates released by Microsoft for June 2026 or later. Verify the patch dates against Microsoft's official security bulletin to confirm you are installing the correct build. Additionally, restrict local user access to systems running NC Host Agent to authorized personnel only. Implement network segmentation to reduce the blast radius if local compromise occurs. Monitor for service crashes or restarts of the Network Controller Host Agent service as a potential compromise indicator.

Patch guidance

Consult Microsoft's official security bulletin and KB articles corresponding to the June 2026 release cycle for Windows Server 2019, 2022, and 2025. Patch deployment should be coordinated with change management processes, particularly in production SDN environments where service restart may be required. Test patches in a staging environment first to verify compatibility with existing Network Controller configurations. Verify the patched version explicitly addresses CWE-416 in the NC Host Agent component before deploying to production.

Detection guidance

Monitor Windows Event Viewer for abnormal terminations or hangs of the Network Controller Host Agent service (svchost.exe hosting nchost service). Set up alerting on repeated Service failures within short time windows. Audit local user logons to NC-hosting servers and correlate with NC Host Agent service crashes. Review process execution logs for local user activity preceding service failures. Network teams should also monitor for unexpected network configuration changes or failed policy application, which may indicate service unavailability due to exploitation.

Why prioritize this

While this vulnerability carries a Medium CVSS score, prioritization depends on your infrastructure profile. Organizations with extensive Software Defined Networking deployments, Hyper-V clusters, or cloud-scale environments where NC Host Agent is critical should prioritize this patch within 30 days. Organizations with minimal SDN footprint or no Network Controller deployment can defer patching but should still plan rollout within 60 days as part of regular maintenance cycles. The lack of current wild exploitation reduces urgency, but the availability impact to network management warrants timely remediation.

Risk score, explained

The CVSS 3.1 score of 5.5 (Medium) reflects: local attack vector with low complexity; requirement for user-level privileges; no confidentiality or integrity impact; and high availability impact. The score appropriately weights the denial-of-service nature of the flaw while acknowledging the privilege barrier that limits practical exploitation. However, contextual risk may be higher in SDN-dependent environments where NC unavailability has cascading operational consequences. Assess within your own risk tolerance and network architecture.

Frequently asked questions

Does this vulnerability affect Windows 10, Windows 11, or client operating systems?

No. This vulnerability is specific to Windows Server 2019, 2022, and 2025 editions running the Network Controller Host Agent service. Client versions of Windows do not include NC Host Agent and are not affected.

Can this vulnerability be exploited remotely or does it require physical access?

The flaw requires local, authenticated access only. The attacker must have valid user credentials and interactive logon capability on the affected Server. Physical presence is not strictly necessary if remote desktop or similar local access mechanisms are available, but network-only remote exploitation is not possible.

Will patching this vulnerability require downtime or service restart?

Patching typically requires a system restart as part of the Windows Server cumulative update process. Plan patching during maintenance windows and coordinate with teams managing Network Controller fabric to minimize disruption to SDN operations. Test in pre-production first to confirm restart impact on your environment.

What happens if I do not patch this vulnerability immediately?

Risk depends on your deployment model. If NC Host Agent is not in use, risk is minimal. If it is in active use, you face potential availability disruption from local users who can trigger the use-after-free condition. The lack of current wild exploitation means this is not an emergency, but patch within 30–60 days as part of normal security maintenance.

This analysis is provided for informational purposes. Verify all patch versions, vendor advisories, and affected product details against official Microsoft security bulletins before deploying patches. Security decisions should align with your organization's risk management framework and network architecture. No exploit code or weaponized proof-of-concept is provided. Consult your vendor documentation and internal security teams before making deployment decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).