CVE-2026-41089: Windows Netlogon Patch, IOCs, Detection, and Mitigation Guide
CVE-2026-41089: Windows Netlogon Patch, IOCs, Detection, and Mitigation Guide
The patch for CVE-2026-41089 has been available since May 12, 2026. Active exploitation was confirmed 20 days later. This part covers exactly what the patch fixes at the code level, how to verify patch status across your domain controllers, what IOCs to hunt for, and the detection and mitigation controls that matter most.
The Patch: What Microsoft Actually Fixed
The May 2026 Patch Tuesday update introduces a bounded replacement for the vulnerable string-writing function inside
netlogon.dll. The fix is gated behind a feature flag, meaning it can be audited precisely in patched
vs. unpatched binary comparisons.
Technical Nature of the Fix
| Component | Before Patch | After Patch |
|---|---|---|
| Feature flag | Not present | Feature_404993339 introduced in netlogon.dll |
| Vulnerable function | NetpLogonPutUnicodeString - no output buffer size parameter; performs unbounded
character-by-character writes into a 528-byte stack buffer |
Replaced by bounded version using RtlStringCbCopyExW with a byte-count budget rather than
a character count |
| Error handling | None - write proceeds regardless of input length | Returns DWORD error code: 0 = success, 87 =
ERROR_INVALID_PARAMETER; caller aborts on any non-zero return
|
| Buffer initialization | Stack buffer uninitialized on entry | NlGetLocalPingResponse now zero-initializes the 528-byte stack buffer when feature flag is
active |
| Legacy path | Only path available | NetpLogonPutUnicodeStringOld preserved behind the feature flag for diff comparison only;
not reachable in normal execution |
In plain terms: the old function wrote characters into a fixed buffer until it was done, with no awareness of how large the buffer was. The new function is told the buffer size upfront and stops writing when it reaches the limit, returning an error instead of overflowing into adjacent stack memory.
A59733767285859FC3F982C46EA9C1173F4BF025D1569C03B4D137B55132B2DBUse this hash to verify the patched binary is deployed on domain controllers. Any DC returning a different hash for
netlogon.dll should be treated as unpatched until confirmed otherwise.
Patch Coverage by Windows Server Version
| Product | Patched Build | Patch Channel | KB / Reference |
|---|---|---|---|
| Windows Server 2012 / 2012 R2 | ESU patch required | ESU - WSUS / Microsoft Update Catalog | ESU enrollment required; KB listed in MSRC advisory |
| Windows Server 2016 | 10.0.14393.9140 | Windows Update / WSUS / Update Catalog | KB5089549 |
| Windows Server 2019 | 10.0.17763.8755 | Windows Update / WSUS / Update Catalog | KB5089549 |
| Windows Server 2022 | 10.0.20348.5074 | Windows Update / WSUS / Update Catalog | KB5089549 |
| Windows Server 2022 23H2 | 10.0.25398.2330 | Windows Update / WSUS / Update Catalog | KB5089549 |
| Windows Server 2025 | 10.0.26100.32772 | Windows Update / WSUS / Update Catalog | KB5089549 |
| Windows Server 2008 R2 (EoL) | No official patch | 0patch micropatch (Acros Security) | One-instruction fix: mov edx, 0x40 halves max username length, preventing overflow |
Verify Patch Status on a Domain Controller
# Method 1 - Check KB installation wmic qfe get HotFixID | findstr KB5089549 # Method 2 - Check OS build number (Settings > About, or PowerShell) [System.Environment]::OSVersion.Version # Method 3 - Verify netlogon.dll hash directly Get-FileHash C:\Windows\System32\netlogon.dll -Algorithm SHA256 # Expected patched hash: A59733767285859FC3F982C46EA9C1173F4BF025D1569C03B4D137B55132B2DB # Method 4 - Check file version (Get-Item C:\Windows\System32\netlogon.dll).VersionInfo.FileVersion
Workarounds for Systems That Cannot Immediately Patch
These controls reduce exploitability while patches are being tested and deployed. They are not substitutes for patching - they are temporary risk reducers for environments with patch testing cycles or legacy systems.
| Control | What It Does | Effectiveness |
|---|---|---|
| Block inbound UDP 389 at perimeter | Prevents external attackers from reaching DC CLDAP service entirely | High - eliminates external attack surface; does not protect against internal attacker |
| Restrict UDP 389 to trusted subnets | Windows Firewall / Advanced Security rules limiting CLDAP access to domain-joined subnets and management hosts only | High - limits blast radius if an internal host is compromised |
| IPsec policy on Netlogon endpoints | Requires authenticated IPsec SA before Netlogon RPC endpoints are accessible | Medium - operational overhead; may break some legitimate DC locator scenarios |
| Network micro-segmentation | Enforce zone boundaries so no host outside a DC management subnet can reach DCs on UDP 389, TCP 445, or Netlogon RPC ports | High - reduces east-west exposure; requires SDN or firewall policy enforcement |
| 0patch micropatch (EoL systems only) | Applies one-instruction runtime fix to netlogon.dll in memory without rebooting; prevents
overflow by halving maximum username length |
Medium - effective for Server 2008 R2 with no vendor patch available |
| Enable Netlogon debug logging | Captures all CLDAP requests and response details to %windir%\debug\netlogon.log |
Detection only - not a prevention control; run immediately on all unpatched DCs |
# Enable Netlogon debug logging on all domain controllers nltest /dbflag:0x2080ffff # Log output path %windir%\debug\netlogon.log %windir%\debug\netlogon.bak # Disable after patching to avoid log volume overhead nltest /dbflag:0x0
Indicators of Compromise (IOCs)
No infrastructure IOCs (attacker IPs, C2 domains, campaign-specific file hashes) have been publicly released by CCB or any threat intelligence source as of June 2, 2026. The available IOCs are behavioral and signature-based, focused on the crash condition and the network-level exploit trigger.
Network-Level IOCs
| Indicator | Description | Signal Strength |
|---|---|---|
CLDAP SearchRequest (UDP 389) with User filter attribute > 100 bytes |
Normal DC locator pings use short usernames or omit the User attribute entirely. Values over 100 bytes are anomalous and directly match the exploit trigger condition. | High |
CLDAP SearchRequest with NtVer = 0x02 0x00 0x00 0x00 |
Legitimate DC locator clients set NtVer=6, which routes through the safe
BuildSamLogonResponseEx path. This specific value forces the vulnerable legacy code path.
|
High |
| Single-packet UDP 389 to DC with no response received | If the DC does not respond to a CLDAP ping that was previously answered, LSASS has likely crashed. Correlate with subsequent DC reboot event. | Medium - requires baseline of normal DC response behavior |
| Anomalous RPC/SMB traffic to DCs from non-domain-member source IPs | Follow-on activity after a successful DoS or RCE attempt. Non-domain-member hosts should not be initiating Netlogon or SMB sessions to DCs. | Medium |
Host-Level IOCs
| Indicator | Log Source | Signal Strength |
|---|---|---|
Event ID 1000, faulting application lsass.exe, faulting module netlogon.DLL,
exception code 0xc0000409 |
Windows Application Event Log | Critical - exception code 0xc0000409
(STATUS_STACK_BUFFER_OVERRUN) is almost exclusively associated with GS stack cookie violations from
buffer overflow exploitation |
| Unexpected DC reboot with no prior scheduled maintenance, Windows Update activity, or admin-initiated restart | Windows System Event Log (Event ID 1074, 6006, 6008) | High when correlated with CLDAP anomaly on same DC |
Child processes of lsass.exe - e.g., cmd.exe, powershell.exe,
rundll32.exe
|
Sysmon Event ID 1 (Process Creation), EDR process telemetry | Critical - LSASS does not spawn child processes under normal operation; presence indicates post-exploitation code execution |
Outbound network connections originating from lsass.exe |
Sysmon Event ID 3 (Network Connection), EDR | Critical - LSASS does not initiate outbound connections; indicates code running in LSASS context post-exploitation |
| Domain-wide authentication failure spike lasting ~60 seconds and self-resolving | DC Security Event Log (Event IDs 4771, 4776), SIEM correlation | High - the 60-second auth blackout pattern is specific to DC reboot from LSASS crash; not attributable to most other failure modes |
Persistence Mechanism IOCs (Post-RCE)
If an attacker achieves full RCE rather than DoS, the following persistence mechanisms are relevant based on the vulnerability class and historical Netlogon-targeting attack patterns:
| Persistence Mechanism | Detection Signal |
|---|---|
Golden Ticket creation via stolen krbtgt hash |
Kerberos tickets with anomalous lifetimes (>10 hours) or tickets presented from hosts that have no corresponding TGT request in DC logs (Event ID 4769 without preceding 4768) |
| New privileged domain accounts (Domain Admin, Enterprise Admin) | Event ID 4720 (account creation) + Event ID 4728/4732 (group membership change to privileged groups) outside change-management windows |
| DCShadow - rogue DC registration to inject AD changes | New domain controller objects appearing in AD Sites and Services without a corresponding legitimate DC promotion process; replication partner anomalies in DFS-R or AD replication monitoring |
| Skeleton Key malware injected into LSASS | All domain accounts suddenly able to authenticate with a single master password; detected by ATA/MDI or memory integrity scanning of LSASS process |
| GPO modification for domain-wide backdoor deployment | Event ID 5136 (GPO attribute change), Event ID 4739 (domain policy change) from unexpected admin accounts or during off-hours |
| DCSync credential harvesting | Event ID 4662 on DC with Access Mask 0x100 for DS-Replication-Get-Changes-All
rights, from accounts that are not domain controllers and not authorized replication partners |
Detection: SIEM Queries
Splunk
# Detect LSASS crash with netlogon.DLL faulting module
index=wineventlog source="WinEventLog:Application"
EventID=1000
Process_Name="lsass.exe"
Module_Name="netlogon.DLL"
Exception_Code="0xc0000409"
| eval risk="CRITICAL - Possible CVE-2026-41089 exploitation"
| table _time, host, Process_Name, Module_Name, Exception_Code, risk
# Detect child processes spawned by lsass.exe (post-RCE signal)
index=sysmon EventCode=1 ParentImage="*lsass.exe"
| eval risk="CRITICAL - Abnormal LSASS child process"
| table _time, host, Image, ParentImage, CommandLine, risk
Elastic / Lucene (KQL)
# LSASS crash detection event.code:1000 AND process.name:lsass.exe AND winlog.event_data.ModuleName:*netlogon* AND winlog.event_data.ExceptionCode:0xc0000409 # LSASS outbound network connection (Sysmon EID 3) event.code:3 AND process.name:lsass.exe AND NOT destination.ip:(127.0.0.1 OR "::1")
Microsoft Sentinel (KQL)
# LSASS crash with netlogon faulting module SecurityEvent | where EventID == 1000 | where CommandLine contains "lsass.exe" and CommandLine contains "netlogon.DLL" and CommandLine contains "0xc0000409" | project TimeGenerated, Computer, CommandLine | extend Risk = "CRITICAL - CVE-2026-41089 candidate" # Privileged group membership changes outside business hours SecurityEvent | where EventID in (4728, 4732, 4756) | where MemberName !contains "expected-admin" | where hourofday(TimeGenerated) !between (8 .. 18) | project TimeGenerated, Computer, SubjectUserName, MemberName, GroupName
Immediate Response Actions
Run wmic qfe get HotFixID | findstr KB5089549 on every DC. Cross-reference with build numbers.
Generate a list of unpatched nodes before doing anything else. One missed DC invalidates the entire remediation
effort.
Apply the May 2026 Patch Tuesday updates to all domain controllers simultaneously. For ESU-covered Server 2012/2012 R2, apply via WSUS or Update Catalog. For EoL Server 2008 R2, apply 0patch micropatch immediately and begin emergency migration planning. Rolling deployment is not appropriate for this vulnerability class.
While patching is underway, restrict inbound CLDAP (UDP 389) to domain-joined hosts and management subnets via Windows Firewall Advanced Security rules and perimeter/internal firewall policy. Block from Internet-facing addresses unconditionally.
Run nltest /dbflag:0x2080ffff on every DC that has not yet been patched. This captures CLDAP
request details to %windir%\debug\netlogon.log and provides evidence of any exploitation attempts
that occurred before patching.
Search Application Event Logs on every DC for Event ID 1000 with exception code 0xc0000409 and
faulting module netlogon.DLL. Any such event on an unpatched DC prior to your patching date should
be treated as a potential exploitation incident and trigger your IR procedures. Do not assume it was a benign
crash.
Hash C:\Windows\System32\netlogon.dll on every DC and compare against the known patched SHA-256
(A59733767285859FC3F982C46EA9C1173F4BF025D1569C03B4D137B55132B2DB). Any mismatch should be
investigated before the DC is treated as secured.
Long-Term Hardening Recommendations
| Control | Description | Priority |
|---|---|---|
| DC patch SLA for pre-auth criticals | Establish a formal policy: pre-authentication critical DC vulnerabilities must be patched within 24–72 hours of Patch Tuesday, not the standard 30-day enterprise window | Immediate |
| Network micro-segmentation for DCs | No host outside a defined DC management subnet should communicate with DCs on UDP 389, TCP 445, or Netlogon RPC ports. East-west DC access must be explicitly allow-listed. | High |
| Tier 0 / PAW architecture | Enforce Privileged Access Workstation model for DC administration. Credential material from Tier 1/2 systems must not appear on domain controllers. | High |
| Windows Credential Guard on DCs | Isolates credential material from LSASS context using virtualization-based security; limits damage if LSASS is compromised | Medium |
| LSASS Protected Process Light (PPL) | Prevents unauthorized access to LSASS memory from non-protected processes; reduces credential dumping surface | Medium |
| Permanent CLDAP anomaly detection rule | Integrate long User attribute and non-standard NtVer detection into your SIEM
or NDR as a persistent rule - not just for this CVE but as general Netlogon abuse detection |
Medium |
| Migrate EoL Windows Server | Plan and execute migration off Server 2012/2012 R2 and especially 2008 R2. ESU and micropatch coverage is finite; these systems are a permanent AD liability. | Medium |
| Unexpected DC reboot IR runbook | Any unscheduled DC reboot should trigger an automatic security investigation workflow, not just an infrastructure ticket. The 60-second auth blackout pattern from this exploit is specific and detectable. | Ongoing |
Part 4 covers MITRE ATT&CK mapping, advanced SIEM queries, and domain controller hardening for CVE-2026-41089.