CVE-2026-21243: Windows Server 2019 LDAP DOS Vulnerability

CVE-2026-21243 Overview

CVE-2026-21243 is a Null Pointer Dereference vulnerability affecting Windows LDAP (Lightweight Directory Access Protocol) that allows an unauthorized attacker to cause a denial of service over a network. This vulnerability poses a significant risk to enterprise environments relying on Active Directory and LDAP services for authentication and directory lookups.

Critical Impact

Unauthorized remote attackers can disrupt critical LDAP services on Windows Server systems without requiring authentication, potentially causing widespread authentication failures and directory service outages across the enterprise.

Affected Products

• Microsoft Windows Server 2019
• Microsoft Windows Server 2022
• Microsoft Windows Server 2022 23H2
• Microsoft Windows Server 2025

Discovery Timeline

• 2026-02-10 - CVE-2026-21243 published to NVD
• 2026-02-11 - Last updated in NVD database

Technical Details for CVE-2026-21243

Vulnerability Analysis

This vulnerability stems from improper handling of certain LDAP requests in the Windows LDAP service, resulting in a null pointer dereference condition (CWE-476). When the LDAP service receives specially crafted network requests, it attempts to access memory through a null pointer, causing the service to crash. The vulnerability requires no authentication and can be exploited remotely over the network with low attack complexity.

The impact is limited to service availability—there is no compromise of data confidentiality or integrity. However, given the critical role LDAP plays in Windows domain environments for authentication and authorization, a successful exploitation could cascade into broader service disruptions affecting domain-joined systems.

Root Cause

The root cause is a null pointer dereference (CWE-476) in the Windows LDAP service. This occurs when the LDAP service fails to properly validate input or internal state before dereferencing a pointer that may be null. When a malformed or specially crafted LDAP request triggers this code path, the service attempts to access memory at address zero, resulting in an access violation that terminates the LDAP service process.

Attack Vector

The attack vector is network-based, allowing remote exploitation without authentication. An attacker with network access to the LDAP service (typically TCP port 389 for LDAP or port 636 for LDAPS) can send malformed LDAP requests designed to trigger the null pointer dereference condition.

The exploitation scenario involves:

1. Identifying Windows Server systems running LDAP services exposed on the network
2. Crafting malicious LDAP requests that trigger the vulnerable code path
3. Sending these requests to cause the LDAP service to crash
4. Potentially repeating the attack to maintain denial of service conditions

No proof-of-concept exploits are publicly available at this time, and the vulnerability is not currently being exploited in the wild.

Detection Methods for CVE-2026-21243

Indicators of Compromise

• Unexpected LDAP service crashes or restarts on Domain Controllers
• Windows Event Log entries indicating lsass.exe or LDAP-related service failures
• Unusual volume of malformed LDAP requests in network traffic logs
• Multiple authentication failures across domain-joined systems coinciding with LDAP service disruptions

Detection Strategies

• Monitor Windows Event Logs for Event ID 1000 (Application Error) and Event ID 7031 (Service Control Manager) related to LDAP or lsass.exe crashes
• Implement network intrusion detection rules to identify anomalous LDAP traffic patterns targeting TCP ports 389 and 636
• Deploy endpoint detection to monitor for process crashes in lsass.exe and related LDAP service components
• Configure alerting on rapid service restarts for Active Directory Domain Services

Monitoring Recommendations

• Enable verbose logging for LDAP diagnostics via HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
• Implement network traffic analysis for LDAP protocol anomalies
• Monitor Domain Controller health metrics including service availability and crash counters
• Configure SIEM correlation rules to detect patterns indicative of DoS attacks against LDAP services

How to Mitigate CVE-2026-21243

Immediate Actions Required

• Apply the February 2026 security update from Microsoft to all affected Windows Server systems
• Prioritize patching Domain Controllers and systems providing LDAP services
• Restrict network access to LDAP ports (389, 636) to only authorized systems using firewall rules
• Monitor LDAP service health closely until patches are deployed

Patch Information

Microsoft has released a security update addressing this vulnerability. Administrators should apply the appropriate cumulative update for their Windows Server version. Detailed patch information and download links are available in the Microsoft Security Response Center advisory.

Workarounds

• Implement network segmentation to limit exposure of LDAP services to trusted networks only
• Configure Windows Firewall to restrict inbound connections to LDAP ports from untrusted sources
• Deploy load balancing or failover configurations for LDAP services to maintain availability during potential attacks
• Consider implementing LDAP signing and channel binding as additional security hardening measures

# Windows Firewall rule to restrict LDAP access to trusted subnet
netsh advfirewall firewall add rule name="Restrict LDAP Access" dir=in action=allow protocol=tcp localport=389 remoteip=10.0.0.0/8
netsh advfirewall firewall add rule name="Block External LDAP" dir=in action=block protocol=tcp localport=389