CVE-2026-41089: Windows Netlogon RCE - One-Packet CLDAP Attack, LSASS Crash, and Active Directory Risk
CVE-2026-41089: Windows Netlogon RCE, One-Packet CLDAP Attack, LSASS Crash, and Active Directory Risk
A single unauthenticated UDP packet can crash every domain controller in your organization. No credentials. No foothold. No user interaction. One malformed CLDAP ping to port 389, LSASS dies, and Active Directory authentication goes with it. The patch has been available since May 12, 2026. Active exploitation was confirmed within three weeks of disclosure.
Vulnerability at a Glance
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-41089 |
| Affected Component | Windows Netlogon Service (netlogon.dll), DC Locator CLDAP handler |
| Vulnerability Class | Stack-based buffer overflow (CWE-121) |
| Attack Vector | Network (UDP port 389, CLDAP) |
| Authentication Required | None |
| User Interaction | None |
| CVSS 3.1 Score | 9.8 CRITICAL, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS 4.0 Assessment | 8.8 HIGH, AT:P (DNS naming prerequisite acknowledged) |
| Disclosed | May 12, 2026 (Microsoft Patch Tuesday) |
| PoC Released | May 13, 2026, Aretiq AI, patch-diff derived |
| Wild Exploitation Confirmed | June 1, 2026, Centre for Cybersecurity Belgium (CCB) |
| Discovered By | Microsoft WARP team (internal discovery) |
What Actually Happens
Netlogon is the authentication backbone of every Active Directory environment. Before a client logs in, finds a domain controller, or validates a Kerberos ticket, it sends a DC locator ping, a lightweight CLDAP (Connectionless LDAP) query over UDP port 389. This happens thousands of times a day across any enterprise network.
CVE-2026-41089 lives in the CLDAP DC locator response handler inside netlogon.dll. The
handler allocates a 528-byte stack buffer to process the Username attribute from an
incoming ping, without validating length before writing. An attacker sends a crafted packet with a 130-character
username field. The buffer overflows, the GS stack cookie trips, and Windows terminates the process with
STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
The process being terminated is LSASS, the Local Security Authority Subsystem. LSASS holds every active credential in the domain. When it crashes, the domain controller reboots. Authentication across the entire domain goes offline for approximately 60 seconds.
Attacker ──► UDP/389 ──► crafted CLDAP ping (Username: 130 chars)
└─► netlogon.dll 528-byte stack buffer overflow
└─► GS cookie violation → STATUS_STACK_BUFFER_OVERRUN (0xc0000409)
└─► LSASS crash → DC reboot → ~60s domain-wide auth blackout
The RCE Question
Microsoft formally rates this as a Remote Code Execution vulnerability with a CVSS of 9.8. The realistic picture is more nuanced, two distinct exploitation outcomes exist at very different reliability levels.
| Exploitation Path | Reliability | What Stops It |
|---|---|---|
| DoS, LSASS crash + DC reboot | High, public PoC, confirmed in the wild | Nothing meaningful. One packet is sufficient. |
| Full RCE, code execution as SYSTEM | Low, theoretically possible | GS stack cookie; overflow content is server-controlled DNS data, not attacker-controlled shellcode bytes |
The DNS Name Length Prerequisite
The overflow becomes reliably triggerable only when the target domain's fully qualified DNS name exceeds approximately 50 characters. Short domain names may not produce a large enough response payload to consistently overflow the buffer.
This is not a meaningful barrier in enterprise environments. Large organizations routinely operate domains like
corp.enterprise-division.companyname.internal or nested regional structures. MSPs managing multiple
customer forests are very likely operating domains above this threshold. The prerequisite narrows the exploitable
population, it does not protect most affected organizations.
Affected Versions
| Product | Vulnerable (unpatched) | Patched Build |
|---|---|---|
| Windows Server 2012 / 2012 R2 | All without ESU patch | ESU patch required |
| Windows Server 2016 | < 10.0.14393.9140 | 10.0.14393.9140 |
| Windows Server 2019 | < 10.0.17763.8755 | 10.0.17763.8755 |
| Windows Server 2022 | < 10.0.20348.5074 | 10.0.20348.5074 |
| Windows Server 2022 23H2 | < 10.0.25398.2330 | 10.0.25398.2330 |
| Windows Server 2025 | < 10.0.26100.32772 | 10.0.26100.32772 |
netlogon.dll is present on Windows 10/11 client builds, but the vulnerable CLDAP
DC locator response handler is only active on systems configured as Active Directory Domain Controllers. Client
machines are not directly exploitable via this vector.
Why Domain Controllers Are the Worst Possible Target
A domain controller is not just another server. It is the identity control plane, the trust anchor for every device, user, and application in the organization. The blast radius of a DC compromise scales with everything connected to it.
At the DoS Level (reliable today)
- Repeatable kill switch for domain authentication, zero credentials required
- Disrupts login, application access, and any Kerberos-dependent service on demand
- Provides cover for simultaneous attacks that exploit the disruption window
At Full RCE Level (theoretical)
| Asset Compromised | Consequence |
|---|---|
| LSASS memory (code execution context) | Every password hash and Kerberos ticket active on that DC |
| krbtgt secret | Forge Golden Tickets, valid for years, survive password resets |
| Group Policy control | Push malware or config changes to every domain-joined machine in one operation |
| Domain trust relationships | Lateral movement into partner networks and subsidiary environments |
| Tier 0 credential material | Complete Active Directory forest takeover |
High-Value Targets
| Target Category | Why They're at Higher Risk |
|---|---|
| Government agencies | Large domain structures with long DNS names; high-value disruption impact |
| Healthcare / hospitals | Authentication disruption directly impacts patient care systems; high-pressure to restore quickly |
| Financial institutions | Credential theft and GPO abuse enable fraud, data exfiltration, and ransomware staging |
| Critical infrastructure | OT/ICS environments tied to AD authentication become inaccessible during DC outage |
| Managed Service Providers | One MSP domain controller can be a gateway to dozens of separate customer environments simultaneously |
| Defense contractors | Tier-0 compromise can expose classified material and federated government networks |
Example Attack Sequence
# Stage 1, Recon Scan for UDP/389 (CLDAP) on Internet-exposed or DMZ-reachable IP ranges Send benign DC locator ping → identify active DCs, capture DNS domain name # Stage 2, Prerequisite Check Does the DNS name exceed ~50 characters? If yes → proceed. If no → move to next target. # Stage 3, Exploit (DoS, reliable) Send single crafted CLDAP ping with 130-char Username attribute LSASS crashes → DC reboots → ~60s domain-wide auth blackout Repeat as needed for sustained disruption # Stage 4, Escalation (if full RCE achieved) Spawn reverse shell from LSASS context (SYSTEM privileges) DCSync → extract krbtgt hash Forge Golden Ticket → persistent, undetected forest-wide access Deploy ransomware/backdoor via GPO to all domain-joined machines
Misconfigurations That Increase Exposure
- No network segmentation, any internal host can reach DC on UDP 389
- DC exposed to the Internet or DMZ with inbound UDP 389 permitted
- Rolling patch deployment, one unpatched DC in the forest is sufficient for exploitation
- End-of-life Windows Server (2008 R2 without micropatch, 2012 without ESU)
- No LSASS crash alerting, unexpected DC reboots treated as infrastructure issues, not security events
- DNS domain names ≥ 50 characters with no compensating controls
Relationship to Zerologon (CVE-2020-1472)
| CVE-2020-1472 (Zerologon) | CVE-2026-41089 | |
|---|---|---|
| Target | Windows Netlogon, Domain Controllers | Windows Netlogon, Domain Controllers |
| Auth required | None | None |
| Root cause | Cryptographic flaw (AES-CFB8 IV) | Memory corruption (stack buffer overflow) |
| Primary impact | Privilege escalation to domain admin | DoS (DC crash); RCE theoretical |
| Exploit reliability | Very high (~100%) | High for DoS; low for RCE |
| Patch available | August 2020 | May 2026 |
Same target, different root cause, different exploitation mechanics. Both unauthenticated, both attacking the domain's core trust anchor.
Part 2 covers the public PoC, active exploit analysis, and how the vulnerability is being weaponized in the wild.
