CVE-2026-41089

Name of the Vulnerable Software and Affected Versions Windows Server versions prior to May 12, 2026

Description A stack-based buffer overflow exists in the Windows Netlogon service, specifically within the MS-NRPC handler. This flaw allows an unauthenticated remote attacker to execute arbitrary code with SYSTEM-level privileges on domain controllers by sending a specially crafted network request, such as a malformed UDP or RPC packet on TCP port 445. Beyond remote code execution, the issue can also be used to trigger a denial-of-service (DoS) condition, forcing the domain controller to reboot. The Centre for Cybersecurity Belgium (CCB) has confirmed that this issue is being actively exploited in the wild.

Recommendations Deploy the May 2026 security updates on all domain controllers. Firewall-restrict RPC and Netlogon traffic to minimize exposure. Monitor lsass.exe and the Netlogon service for anomalies. Enable Netlogon RPC sealing audit mode (Event IDs 5827, 5828, and 5829) to detect potential exploitation attempts.