Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45648

CVE-2026-45648: Active Directory Buffer Overflow Flaw

CVE-2026-45648 is a stack-based buffer overflow vulnerability in Active Directory Domain Services that enables authorized attackers to execute arbitrary code remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-45648 Overview

CVE-2026-45648 is a stack-based buffer overflow vulnerability [CWE-121] in Microsoft Active Directory Domain Services (AD DS). An authorized attacker with low-level privileges can send crafted network traffic to a domain controller and trigger memory corruption on the stack. Successful exploitation leads to arbitrary code execution in the context of the AD DS process. Because AD DS underpins enterprise authentication and directory operations, compromise of a domain controller through this flaw exposes the entire identity tier of the affected forest.

Critical Impact

An authenticated network attacker can execute arbitrary code on a domain controller, resulting in full compromise of confidentiality, integrity, and availability of Active Directory.

Affected Products

  • Microsoft Active Directory Domain Services
  • Windows Server installations operating the AD DS role
  • Refer to the Microsoft CVE-2026-45648 Update Guide for the authoritative list of affected builds

Discovery Timeline

  • 2026-06-09 - CVE-2026-45648 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45648

Vulnerability Analysis

The flaw is a stack-based buffer overflow inside Active Directory Domain Services. AD DS handles directory protocol traffic from authenticated principals across the network. When the service processes a crafted request, a fixed-size stack buffer receives more data than it was allocated to hold. The overflowing bytes overwrite adjacent stack memory, including saved return addresses and control structures. An attacker who shapes the input precisely can redirect execution into attacker-controlled code. The attack requires low privileges and no user interaction, and it executes over the network against a domain controller. Code execution occurs in the security context of the AD DS process, which runs with high privilege on the controller.

Root Cause

The root cause is missing or insufficient bounds checking on attacker-controlled input copied into a stack-allocated buffer inside the AD DS request handler. This matches the [CWE-121] stack-based buffer overflow pattern. The handler trusts the size or structure of a network-supplied field and performs a copy without validating that the destination buffer can hold the data.

Attack Vector

The attack vector is network-based against the AD DS service on a domain controller. The attacker must already hold valid credentials in the directory, even at a low privilege level. From an authenticated session, the attacker delivers a malformed directory request that triggers the overflow. No user interaction is required. Successful exploitation yields code execution on the targeted controller, providing a direct path to domain dominance through credential theft, ticket forgery, and replication abuse.

No public proof-of-concept or in-the-wild exploitation has been reported for CVE-2026-45648 at the time of writing. The EPSS data indicates a low near-term exploitation probability, but the impact on Active Directory warrants priority remediation. See the Microsoft CVE-2026-45648 Update Guide for vendor technical details.

Detection Methods for CVE-2026-45648

Indicators of Compromise

  • Unexpected crashes or restarts of the lsass.exe or AD DS-related services on domain controllers, often visible as Windows Error Reporting events.
  • New or anomalous child processes spawned by AD DS-hosting processes on a domain controller.
  • Outbound network connections from domain controllers to unfamiliar hosts following directory protocol activity.
  • Sudden creation of privileged accounts, group membership changes, or replication requests originating from low-privilege accounts.

Detection Strategies

  • Hunt for low-privileged authenticated sessions issuing malformed or oversized LDAP, RPC, or directory replication requests to domain controllers.
  • Correlate AD DS service crash events with subsequent code execution artifacts such as new services, scheduled tasks, or LSASS memory access.
  • Baseline normal authenticated directory traffic and alert on protocol anomalies, unusually large request fields, or non-standard client behavior.

Monitoring Recommendations

  • Forward Windows Security, System, and Directory Service event logs from all domain controllers to a centralized analytics platform for retention and correlation.
  • Enable command-line and process-creation auditing on domain controllers and alert on any process spawned by AD DS-hosting binaries.
  • Monitor for Event ID 1000 and 1001 application crashes referencing AD DS components and treat repeated crashes as potential exploitation attempts.

How to Mitigate CVE-2026-45648

Immediate Actions Required

  • Apply the Microsoft security update for CVE-2026-45648 to every domain controller in scope, prioritizing forest root and privileged-tier controllers.
  • Inventory all servers running the AD DS role and confirm patch status through configuration management or vulnerability scanning.
  • Review and reduce the population of accounts able to authenticate to domain controllers, applying tier-zero administration practices.
  • Rotate credentials and review domain controller integrity if any indicators of exploitation are observed.

Patch Information

Microsoft has published guidance and updates through the Microsoft CVE-2026-45648 Update Guide. Administrators should consult the update guide for the specific KB articles and build numbers that apply to their Windows Server versions and install the updates on all domain controllers.

Workarounds

  • No vendor-supplied workaround replaces the patch; apply the security update as the primary remediation.
  • Restrict network reachability of domain controllers to required management and member systems using host and network firewalls.
  • Enforce strong authentication, MFA for administrative access, and just-in-time elevation to limit the pool of accounts that could exploit the flaw.
  • Segment tier-zero assets so that compromise of a workstation or member server does not provide direct authenticated network paths to AD DS.
bash
# Verify installed updates on a domain controller and confirm AD DS service state
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20
Get-Service -Name NTDS, Netlogon, KDC | Format-Table -AutoSize

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.