CVE-2026-42914 Overview
CVE-2026-42914 is a denial of service vulnerability in Windows Kerberos. Microsoft published the advisory on June 9, 2026. The flaw maps to [CWE-125], an out-of-bounds read condition in the Kerberos authentication subsystem. An authenticated attacker can send crafted Kerberos traffic over the network to disrupt the availability of the targeted service.
The vulnerability carries a CVSS 3.1 score of 5.3 and an EPSS probability of 0.061%. No public exploit is available, and CISA has not listed the issue in its Known Exploited Vulnerabilities catalog.
Critical Impact
A low-privileged remote attacker can trigger an out-of-bounds read in Windows Kerberos, causing a denial of service against the authentication service.
Affected Products
- Microsoft Windows (Kerberos component) — see the Microsoft advisory for specific build coverage
- Windows Server installations exposing Kerberos authentication
- Domain controllers running affected Windows builds
Discovery Timeline
- 2026-06-09 - CVE-2026-42914 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-42914
Vulnerability Analysis
The vulnerability resides in the Windows Kerberos implementation, the Microsoft component that handles Kerberos authentication for domain logons, service tickets, and delegation. The issue is classified as an out-of-bounds read [CWE-125]. When the Kerberos service parses a malformed authentication message, it reads memory outside the bounds of an intended buffer. This read triggers an unhandled condition that terminates or destabilizes the Kerberos service.
The attack vector is network-based and requires low privileges, meaning the attacker must already hold valid credentials or session context. No user interaction is required. The scope is unchanged, and impact is limited to availability. Confidentiality and integrity are not affected. High attack complexity reflects timing or state conditions the attacker must satisfy to reliably trigger the out-of-bounds read.
Root Cause
The root cause is improper bounds checking in the Kerberos message parser. The component dereferences a length or offset field from attacker-controlled input without validating that the resulting read remains within the allocated buffer. The out-of-bounds read disrupts service execution.
Attack Vector
An authenticated attacker with network access to a Kerberos endpoint, typically TCP/UDP port 88 on a domain controller, sends a specially crafted Kerberos request. The malformed request forces the parser into the out-of-bounds read path. Repeated requests can sustain denial of service against authentication, preventing domain logons and service ticket issuance.
No verified public proof-of-concept exists. Refer to the Microsoft Security Update CVE-2026-42914 advisory for vendor-supplied technical detail.
Detection Methods for CVE-2026-42914
Indicators of Compromise
- Unexpected termination or restart of the Kerberos Key Distribution Center (kdcsvc) service on domain controllers
- Spikes in failed Kerberos authentication events such as Event ID 4771 with unusual failure codes
- Bursts of malformed Kerberos AS-REQ or TGS-REQ traffic to port 88 from a single source
Detection Strategies
- Monitor domain controller availability and Kerberos service health with synthetic authentication probes
- Inspect Kerberos protocol traffic for malformed ASN.1 structures or oversized length fields using network detection tooling
- Correlate Windows System log service crash events with concurrent inbound Kerberos traffic patterns
Monitoring Recommendations
- Alert on repeated restarts of the Kdc or Netlogon services within short time windows
- Track authentication latency and failure rates per domain controller and flag deviations from baseline
- Ingest domain controller security and system logs into a centralized analytics platform for cross-host correlation
How to Mitigate CVE-2026-42914
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-42914 to all domain controllers and Windows hosts that service Kerberos requests
- Prioritize patching internet-exposed or partner-facing systems that accept Kerberos traffic
- Verify domain controller redundancy so a single service disruption does not halt authentication across the environment
Patch Information
Microsoft has published a security update for CVE-2026-42914 through the Microsoft Security Response Center. Administrators should consult the Microsoft Security Update CVE-2026-42914 guide for the specific KB articles and build numbers that address the issue in each supported Windows version.
Workarounds
- Restrict network access to Kerberos endpoints (TCP/UDP 88) to trusted subnets and authenticated administrative networks
- Enforce strong credential hygiene to reduce the pool of low-privileged accounts that could send crafted Kerberos messages
- Configure rate limiting or anomaly detection on perimeter and east-west traffic to authentication services
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
