Windows Netlogon Stack-Based Buffer Overflow Enables Remote Code Execution
CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon that allows unauthenticated remote code execution. CVSS 9.8. Patch immediately.
TL;DR
- CVE-2026-41089 is a stack-based buffer overflow (CWE-121) in the Windows Netlogon service enabling unauthenticated remote code execution
- CVSS score of 9.8 (critical) with network attack vector, no privileges or user interaction required
- Affects Windows Server 2012, 2016, 2019, 2022, 2022 23H2, and 2025
- No confirmed active exploitation at the time of writing; not listed in CISA KEV
- Apply Microsoft security updates immediately per the vendor advisory
What is CVE-2026-41089?
CVE-2026-41089 is a critical stack-based buffer overflow vulnerability in the Windows Netlogon service that allows an unauthorized attacker to execute arbitrary code remotely over a network. The flaw exists because the Netlogon component fails to properly validate input length before copying data to a fixed-size stack buffer, enabling attackers to overwrite return addresses and gain control of program execution.
Who is affected?
The following Microsoft Windows Server products contain the vulnerable Netlogon component:
- Microsoft Windows Server 2012
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
- Microsoft Windows Server 2022 23H2
- Microsoft Windows Server 2025
Organizations running Active Directory domain controllers are at highest risk since Netlogon is essential for domain authentication operations. Any server with the Netlogon service exposed to untrusted networks faces potential compromise.
How severe is it?
This vulnerability carries a CVSS 3.1 base score of 9.8, placing it firmly in the critical category. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H breaks down as follows:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions needed |
| Privileges Required | None | Unauthenticated attack |
| User Interaction | None | No victim action required |
| Confidentiality Impact | High | Full data disclosure possible |
| Integrity Impact | High | Complete system modification |
| Availability Impact | High | Total service disruption |
The real-world impact is severe. Successful exploitation grants attackers SYSTEM-level privileges on domain controllers, potentially compromising entire Active Directory forests. Attackers could extract credentials, deploy ransomware, establish persistence, or pivot to other network systems. The combination of network accessibility and zero authentication requirements makes this vulnerability especially attractive to threat actors.
Is it being exploited?
As of the publication date, CVE-2026-41089 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. No confirmed reports of in-the-wild exploitation have been documented. However, given the critical severity score and the high value of domain controllers as targets, security teams should treat this as an urgent priority. Stack-based buffer overflows with public documentation historically attract exploit development within days to weeks of disclosure.
How to fix and mitigate it
-
Apply the official Microsoft security update immediately by following guidance in the Microsoft Security Response Center advisory. Prioritize domain controllers before other affected servers.
-
Restrict network access to the Netlogon service as a temporary measure if immediate patching is not feasible. Use Windows Firewall or network firewalls to limit RPC traffic to trusted hosts only:
# Restrict Netlogon RPC access to specific management subnets
New-NetFirewallRule -DisplayName "Restrict Netlogon Access" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 135,49152-65535 `
-RemoteAddress 10.0.0.0/8,192.168.0.0/16 `
-Action Allow
-
Implement network segmentation to isolate domain controllers from general user networks and internet-facing systems. Domain controllers should only accept connections from authorized endpoints.
-
Enable exploit protection features on Windows Server systems, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), which can make exploitation more difficult.
-
Monitor authentication logs for anomalous Netlogon activity following patch deployment to detect potential compromise attempts that occurred before remediation.
How to detect exposure
Identify vulnerable systems and monitor for exploitation attempts using these methods:
Version verification via PowerShell:
# Check if Netlogon service is running and get OS version
Get-Service -Name Netlogon | Select-Object Status, Name
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumber
Review Windows Security Event Logs for Netlogon-related events. Event IDs 5805, 5723, and 5719 may indicate authentication anomalies. Centralize logs in a SIEM for correlation.
Network monitoring for unusual traffic patterns to RPC endpoints (TCP 135 and dynamic high ports) can reveal scanning or exploitation attempts. Configure IDS/IPS signatures if your vendor releases detection rules for CVE-2026-41089.
Vulnerability scanning with updated plugins from tools like Nessus, Qualys, or Microsoft Defender Vulnerability Management will identify unpatched systems. Run authenticated scans for accurate detection.
EDR telemetry may capture stack-based overflow exploitation patterns. Configure alerts for anomalous process behavior originating from lsass.exe or other Netlogon-related processes.
Frequently asked questions
Does CVE-2026-41089 require authentication to exploit?
No. This vulnerability requires no authentication or user interaction. An attacker can exploit it remotely over the network without any privileges, making it particularly dangerous for internet-exposed domain controllers and servers running the Netlogon service.
Is CVE-2026-41089 the same as Zerologon?
No. While both affect the Windows Netlogon service, CVE-2026-41089 is a distinct stack-based buffer overflow vulnerability (CWE-121) with its own attack characteristics. Zerologon (CVE-2020-1472) exploited a cryptographic flaw. Different patches address each vulnerability.
Which Windows versions need patching for CVE-2026-41089?
All currently supported Windows Server versions are affected: Windows Server 2012, 2016, 2019, 2022, 2022 23H2, and 2025. Organizations should prioritize patching domain controllers first, then other servers running the Netlogon service.
Can I mitigate CVE-2026-41089 without patching immediately?
Temporary mitigations include restricting network access to the Netlogon service using firewall rules and network segmentation. However, these are stopgaps only. Apply the official Microsoft security update as soon as possible for complete protection.
References: Microsoft Security Response Center | NVD entry
