CVE-2026-42903 Overview
CVE-2026-42903 is a null pointer dereference vulnerability [CWE-476] in the Windows Kerberos authentication component. An authenticated attacker can send crafted network requests that cause the Kerberos service to dereference a null pointer, resulting in a denial of service condition. The flaw affects a broad range of Microsoft Windows client and server releases, including Windows 10, Windows 11, and Windows Server editions from 2012 through 2025. Microsoft published the advisory on June 9, 2026 and tracks the issue at medium severity.
Critical Impact
An authorized network attacker can crash the Kerberos service, disrupting authentication across an Active Directory environment and preventing users from logging in to domain resources.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-42903 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-42903
Vulnerability Analysis
The vulnerability resides in the Windows Kerberos implementation, the component responsible for ticket-based authentication in Active Directory environments. Kerberos processes a range of network messages including AS-REQ, TGS-REQ, and AP-REQ exchanges. During message handling, a code path fails to validate that a required pointer is non-null before dereferencing it. When an authenticated attacker submits a request that triggers this path, the resulting access violation terminates the Kerberos service or crashes the host process.
Because Kerberos is foundational to domain authentication, an outage of this service prevents new logons, ticket issuance, and service-to-service authentication across an enterprise. The vulnerability impacts availability only, with no loss of confidentiality or integrity. Attackers require valid network credentials but no elevated privileges.
Root Cause
The root cause is missing null-check validation [CWE-476] on a pointer used during Kerberos message processing. The affected code path assumes the structure or field is populated by an earlier parsing step. A crafted request leaves the field unset, and the subsequent dereference triggers a fault that terminates execution.
Attack Vector
Exploitation occurs over the network against TCP/UDP port 88, the standard Kerberos service port on domain controllers. The attacker must hold valid credentials to initiate authenticated Kerberos exchanges. No user interaction is required. The Exploit Prediction Scoring System (EPSS) currently lists this CVE at a low probability of exploitation, and no public proof-of-concept code has been observed.
The vulnerability is described in prose because no verified exploit code is publicly available. See the Microsoft CVE-2026-42903 Advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-42903
Indicators of Compromise
- Unexpected termination or repeated restarts of the lsass.exe process on domain controllers, which hosts Kerberos authentication services.
- Windows Event Log entries indicating Kerberos Key Distribution Center (KDC) service failures, including Event IDs in the System and Security logs related to LSASS crashes.
- Spikes in failed authentication events across domain-joined endpoints correlating with KDC outages.
Detection Strategies
- Monitor domain controllers for process crashes, service restarts, and Kerberos KDC availability gaps.
- Correlate authentication failure surges across multiple endpoints with KDC service state changes to distinguish exploitation from routine outages.
- Inspect inbound traffic to port 88 for malformed or anomalous Kerberos message structures originating from authenticated but non-administrative accounts.
Monitoring Recommendations
- Enable Kerberos operational logging on domain controllers and forward events to a centralized SIEM for correlation.
- Alert on repeated LSASS crashes within short time windows, which can indicate active exploitation attempts.
- Track ticket issuance volumes and latency to detect degradation of the KDC service.
How to Mitigate CVE-2026-42903
Immediate Actions Required
- Apply the security update referenced in the Microsoft CVE-2026-42903 Advisory to all affected Windows client and server systems.
- Prioritize patching of domain controllers, which host the Kerberos KDC and are the primary attack surface.
- Audit accounts with network access to domain controllers and revoke unused or stale credentials.
Patch Information
Microsoft has released security updates addressing CVE-2026-42903. Refer to the Microsoft Security Response Center advisory for the specific KB articles and update packages for each supported Windows version. Administrators should validate patches in a staging environment and deploy through Windows Update, WSUS, or Microsoft Endpoint Configuration Manager.
Workarounds
- Restrict network access to Kerberos port 88 on domain controllers using host-based firewalls or network segmentation, limiting reachability to required client subnets.
- Enforce strong authentication and conditional access policies to reduce the pool of accounts that can reach the KDC.
- Maintain redundant domain controllers across sites so that a single KDC outage does not interrupt authentication across the environment.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
