CVE-2026-41089 Overview
CVE-2026-41089 is a stack-based buffer overflow [CWE-121] in the Windows Netlogon service. An unauthenticated remote attacker can exploit the flaw to execute arbitrary code over the network against affected Windows Server systems. The vulnerability requires no user interaction and no prior privileges, making domain controllers and member servers exposed to the Netlogon RPC interface a direct target.
Microsoft published the advisory on 2026-05-12, and the issue affects supported Windows Server releases from 2012 through 2025. The flaw maps to CWE-121: Stack-based Buffer Overflow.
Critical Impact
Unauthenticated remote code execution against Windows Netlogon enables full compromise of domain controllers and lateral movement across the Active Directory environment.
Affected Products
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2026-05-12 - Microsoft publishes advisory for CVE-2026-41089
- 2026-05-12 - CVE-2026-41089 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-41089
Vulnerability Analysis
Netlogon is a Windows service that authenticates users and machines in Active Directory domains and maintains the secure channel between domain members and domain controllers. The service exposes an RPC interface (\PIPE\NETLOGON and TCP endpoints) that processes authentication and replication messages from networked clients.
CVE-2026-41089 stems from a stack-based buffer overflow in Netlogon message handling. The service writes attacker-controlled data into a fixed-size stack buffer without enforcing length boundaries. An attacker who sends a crafted Netlogon request can overwrite the return address or saved registers on the stack and redirect execution into attacker-supplied shellcode or a return-oriented programming chain.
Because Netlogon runs inside lsass.exe with SYSTEM privileges on domain controllers, successful exploitation yields full control of the host, the domain credential store, and the Kerberos key material.
Root Cause
The root cause is missing bounds validation on a length or count field parsed from an inbound Netlogon RPC message. The vulnerable handler copies the field contents onto the stack using a fixed local buffer, allowing the adjacent saved frame pointer and return address to be overwritten with attacker-controlled bytes.
Attack Vector
The vulnerability is reachable over the network with no authentication and no user interaction. An attacker with network access to TCP/445 or the Netlogon RPC endpoint on a domain controller can deliver the malformed message directly. Internet-exposed Netlogon endpoints and flat internal networks without east-west segmentation are at the highest risk.
No public proof-of-concept code or in-the-wild exploitation has been reported at the time of publication. See the Microsoft Security Update Guide for CVE-2026-41089 for binary-level details.
Detection Methods for CVE-2026-41089
Indicators of Compromise
- Unexpected crashes or restarts of lsass.exe or the Netlogon service on domain controllers, often visible as Windows Error Reporting events or Event ID 1000.
- Child processes spawned by lsass.exe such as cmd.exe, powershell.exe, or rundll32.exe, which are not part of normal Netlogon operation.
- Outbound network connections originating from lsass.exe to non-domain hosts following inbound RPC traffic.
Detection Strategies
- Monitor Netlogon RPC traffic for oversized or malformed structures targeting NetrServerAuthenticate, NetrLogonSamLogon, and related opcodes.
- Correlate Windows Security and System event logs for repeated Netlogon authentication failures followed by service crashes.
- Hunt for anomalous process lineage where lsass.exe is the parent of interactive shells, scripting hosts, or LOLBins.
Monitoring Recommendations
- Enable RPC filtering and audit logging on domain controllers to capture remote calls against the Netlogon interface UUID 12345678-1234-abcd-ef00-01234567cffb.
- Forward Sysmon process creation and network connection events from all domain controllers to a central analytics platform.
- Alert on any new listener or scheduled task created within minutes of inbound SMB or RPC connections from untrusted subnets.
How to Mitigate CVE-2026-41089
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2026-41089 to all domain controllers and Windows Server hosts running Netlogon.
- Prioritize patching of internet-facing and DMZ domain controllers, then internal domain controllers, then member servers.
- Restrict inbound TCP/445 and Netlogon RPC traffic to known administrative subnets using host and network firewalls.
Patch Information
Microsoft has released updates for all affected Windows Server versions, including Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. The updates are distributed through Windows Update, WSUS, and the Microsoft Update Catalog. Refer to the vendor advisory for the specific KB article applicable to each operating system build.
Workarounds
- Block inbound SMB and Netlogon RPC traffic from untrusted networks at perimeter and internal firewalls until patches are deployed.
- Enforce IPsec or RPC filters to restrict Netlogon endpoint access to authenticated domain members only.
- Increase monitoring on domain controllers and isolate any host that exhibits lsass.exe instability pending forensic review.
# Example: restrict inbound Netlogon RPC to a management subnet using netsh
netsh advfirewall firewall add rule name="Restrict Netlogon RPC" \
dir=in action=block protocol=TCP localport=445 \
remoteip=any profile=domain
netsh advfirewall firewall add rule name="Allow Netlogon Admin Subnet" \
dir=in action=allow protocol=TCP localport=445 \
remoteip=10.10.0.0/24 profile=domain
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
