CVE-2026-41089

Name of the Vulnerable Software and Affected Versions Windows Server versions prior to May 12, 2026

Description A stack-based buffer overflow exists in the Windows Netlogon service, specifically within the MS-NRPC handler. This flaw allows an unauthenticated remote attacker to execute arbitrary code with SYSTEM-level privileges on servers configured as domain controllers. The issue is triggered by sending a specially crafted Netlogon RPC packet over TCP port 445 or a crafted UDP packet to the CLDAP DC-locator port (UDP/389), which causes memory corruption in the lsass.exe process. This can lead to a system reboot or full remote code execution. The Center for Cybersecurity Belgium (CCB) has confirmed that this issue is being actively exploited in the wild.

Recommendations Apply the Microsoft security updates released on May 12, 2026. Firewall-restrict RPC and Netlogon traffic to minimize exposure. Monitor the lsass.exe process and Netlogon service for anomalies. Monitor for malformed UDP traffic directed at port 389 on domain controllers.