CVE-2026-26155 Overview
CVE-2026-26155 is an information disclosure vulnerability in the Microsoft Local Security Authority Subsystem Service (LSASS). The flaw is classified under [CWE-126] (Buffer Over-read) and allows an authenticated attacker on the network to retrieve sensitive memory contents from the LSASS process. LSASS handles authentication, security policy enforcement, and credential storage on Windows hosts, making any disclosure of its memory a high-value target for credential theft and lateral movement.
Microsoft published the advisory on April 14, 2026, covering supported Windows 10, Windows 11, and Windows Server releases.
Critical Impact
An authenticated remote attacker can read sensitive data from LSASS memory, exposing credential material and authentication artifacts that enable follow-on intrusion activity.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
- Microsoft Windows Server 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-04-14 - CVE-2026-26155 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-26155
Vulnerability Analysis
The vulnerability resides in LSASS (lsass.exe), the user-mode process that brokers authentication and stores credential material for interactive and network logons. LSASS exposes Local Procedure Call (LPC) and authentication interfaces reachable through Windows authentication protocols. A flaw in input parsing causes the service to read beyond the intended buffer boundary and return that adjacent memory to the caller.
Because LSASS holds cached credentials, Kerberos tickets, NTLM hashes, and session keys, even partial memory disclosure can yield material that an attacker reuses against other systems. The issue impacts confidentiality only, but the data class it exposes makes it a useful precursor to credential-based attacks.
Root Cause
The root cause is a buffer over-read [CWE-126] in LSASS request handling. The affected code path computes or trusts a length field without validating it against the actual size of the source buffer. When the service copies or returns data using that incorrect length, it includes adjacent process memory in the response.
Attack Vector
Exploitation requires network access and valid low-privilege credentials. The attacker sends a crafted authentication or RPC request to a vulnerable Windows endpoint or domain member. No user interaction is required, and the attack does not modify state on the target. The attacker receives portions of LSASS memory in the response and parses them offline for credential artifacts.
No verified proof-of-concept code is publicly available. The vulnerability mechanism is described in prose because no realCodeExamples were provided. See the Microsoft CVE-2026-26155 Advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-26155
Indicators of Compromise
- Unexpected authentication or RPC traffic to lsass.exe originating from low-privilege accounts on internal hosts.
- Repeated malformed authentication requests against domain controllers or member servers from the same source.
- Anomalous handle opens to lsass.exe followed by outbound traffic carrying credential-like artifacts.
Detection Strategies
- Monitor Windows Security event IDs 4624, 4625, and 4673 for unusual authentication patterns tied to a single source account.
- Inspect RPC and SMB traffic for malformed authentication payloads targeting domain controllers and identity infrastructure.
- Correlate any read access to LSASS memory with subsequent use of the same credentials from a different host within a short time window.
Monitoring Recommendations
- Enable LSASS Protected Process Light (PPL) and audit any process attempting to access lsass.exe memory.
- Forward authentication telemetry from domain controllers and member servers to a centralized analytics platform for anomaly detection.
- Track patch deployment state across all Windows 10, Windows 11, and Windows Server systems listed in the advisory.
How to Mitigate CVE-2026-26155
Immediate Actions Required
- Apply the April 2026 Microsoft security updates referenced in the Microsoft CVE-2026-26155 Advisory to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize domain controllers, identity servers, and any host that authenticates privileged accounts.
- Rotate credentials and Kerberos krbtgt keys if exploitation is suspected on identity infrastructure.
Patch Information
Microsoft addressed CVE-2026-26155 in the April 14, 2026 cumulative updates. Patch packages are distributed through Windows Update, WSUS, and the Microsoft Update Catalog. Refer to the Microsoft CVE-2026-26155 Advisory for the specific KB articles per Windows build.
Workarounds
- Enforce LSASS as a Protected Process Light (PPL) using the RunAsPPL registry value to limit memory access by non-protected processes.
- Restrict inbound RPC and SMB exposure on workstations and member servers to trusted management subnets only.
- Require strong authentication and limit low-privilege account reach to identity infrastructure to reduce the pool of accounts capable of triggering the flaw.
# Enable LSA protection (PPL) on Windows hosts
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
# Reboot required for the setting to take effect
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
