Summary

A critical vulnerability, CVE-2026-41089, has been identified in the Windows Netlogon service, posing a severe risk to Active Directory environments. This stack-based buffer overflow vulnerability allows unauthenticated remote attackers to execute arbitrary code with SYSTEM-level privileges on domain controllers. With a CVSS score of 9.8, it is actively being exploited in the wild, making it imperative for organizations to prioritize patching and implement robust monitoring and detection strategies.

Affected Systems and/or Applications

The vulnerability affects all supported versions of Windows Server configured as domain controllers, including: - Windows Server 2012 and 2012 R2 - Windows Server 2016 (all builds prior to 10.0.14393.9140) - Windows Server 2019 (all builds prior to 10.0.17763.8755) - Windows Server 2022 (all builds prior to 10.0.20348.5074) - Windows Server 2022 23H2 (all builds prior to 10.0.25398.2330) - Windows Server 2025 (all builds prior to 10.0.26100.32772)

Technical Details

CVE-2026-41089 is a stack-based buffer overflow vulnerability in the NetrServerAuthenticate3 function of the Netlogon Remote Protocol. The flaw arises from improper input validation of the ComputerName parameter, allowing attackers to send a specially crafted RPC request that overflows the stack buffer. This can lead to arbitrary code execution with SYSTEM privileges, enabling attackers to disable security controls, dump credential databases, and potentially compromise the entire Active Directory domain.

Mitigation

1. Immediate Patching: Apply the May 2026 Patch Tuesday security update from Microsoft to all affected Windows Server versions. This is the only complete mitigation for CVE-2026-41089.
2. Manual PowerShell Verification: Audit domain controllers to ensure they are patched.‍

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
foreach ($DC in $DomainControllers) {
    $session = New-CimSession -ComputerName $DC
    $hotfix = Get-CimInstance -CimSession $session -ClassName Win32_QuickFixEngineering | Where-Object { $_.HotFixID -like "MAY2026" -or $_.Description -like "KB5012345" }
    if ($hotfix) {
        Write-Host "[+] $DC : Patched" -ForegroundColor Green
    } else {
        Write-Host "[!] $DC : Vulnerable - Immediate action required!" -ForegroundColor Red
    }
}

1. Network Segmentation: Restrict network access to domain controllers, ensuring that only authorized systems can communicate with Netlogon over relevant ports (TCP 135, 445, and dynamic RPC ports 49152-65535).
2. Defense-in-Depth: Strengthen identity protection and network segmentation, enforce the principle of least privilege, and enable Windows Defender Credential Guard to isolate sensitive processes.

References

• https://app.opencve.io/cve/CVE-2026-41089
• https://nvd.nist.gov/vuln/detail/CVE-2026-41089

‍