Windows Netlogon CLDAP Stack Buffer Overflow RCE
Published: June 3, 2026 Severity: Critical | CVSS 3.1: 9.8 Status: Actively Exploited in the Wild
What Is It?
CVE-2026-41089 is a pre-authentication, zero-interaction stack-based buffer overflow in the Windows Netlogon service affecting all Windows Server versions acting as Active Directory domain controllers. The vulnerability was patched by Microsoft on May 12, 2026 as part of Patch Tuesday, but as of May 29 the Centre for Cybersecurity Belgium (CCB) confirmed active exploitation in the wild. A public proof-of-concept is available on GitHub, and AI-assisted patch diffing is accelerating the timeline from patch release to weaponized exploit.
A successful attack on a domain controller is not just a server compromise. It is a domain-wide compromise with a fast path to forest-level takeover.
How Does It Work?
The vulnerability lives in netlogon.dll inside a helper function called NetpLogonPutUnicodeString. When a domain controller receives a CLDAP (Connectionless LDAP) DC Locator ping on UDP port 389, it builds a response by serializing several strings into a fixed 528-byte stack buffer via BuildSamLogonResponse. The bug: the copy function receives a max-length argument in bytes but reads it as a wide character (WCHAR) count. Since every WCHAR is two bytes, each string consumes double the expected buffer space.
The attacker controls the "User" attribute of the CLDAP filter. Sending a username of 130 characters pushes 260 bytes through the copy loop alone. When that oversized username is combined with the server-side DNS domain name, hostname, GUID fields, and compressed DNS names, the total write volume exceeds the 528-byte boundary, corrupts the LSASS stack, and triggers a fatal STATUS_STACK_BUFFER_OVERRUN exception (0xC0000409). LSASS crashes. The domain controller reboots approximately 60 seconds later. A GS stack cookie limits reliable return-address hijacking in the current public PoC, so confirmed in-the-wild exploitation has manifested primarily as denial of service, but Microsoft's advisory formally rates the vulnerability as Remote Code Execution with a 9.8 CVSS score.
One UDP packet. No credentials. No interaction from any user. Any network path to UDP/389 on an unpatched DC is an attack surface.
What Is the Exploitability Constraint?
There is one important environmental condition. The domain controller must have a sufficiently long DNS domain name (roughly 50 or more characters combined across domain and hostname) for the combined output to overflow the 528-byte buffer. Domain controllers in environments with short domain names like corp.local or example.com are likely not reachable via the current PoC path. However, enterprise environments with long fully-qualified domain names, nested AD forests, or lengthy hostnames should treat themselves as fully in scope.
Affected Products
All Windows Server editions configured as Active Directory domain controllers are affected:
- Windows Server 2008 R2 through Windows Server 2025
- Windows 10 (all maintained versions) and Windows 11 also include the vulnerable
netlogon.dll, but are only exploitable if configured as a DC, which is rare in practice
What Happens After Exploitation?
The immediate observable effect is a DC reboot. The security concern goes much further. Any threat actor who achieves stable code execution in LSASS context on a domain controller has landed in the Tier 0 of an Active Directory forest. Follow-on activity to expect includes KRBTGT hash extraction for Golden Ticket creation, DCSync to pull all domain credential hashes, modification of Group Policy Objects for persistence, and lateral movement to other DCs via domain replication trust.
This is the same blast radius class as Zerologon (CVE-2020-1472) and PrintNightmare. Teams should treat any confirmed exploitation of this CVE as an Active Directory breach event, not as an isolated server incident.
Detection Opportunities
There are three tiers of visibility:
Network (Pre-Exploitation) Look for UDP traffic to port 389 on domain controllers with payloads larger than approximately 200 bytes. Normal CLDAP DC locator pings are compact. A "User" attribute in the CLDAP filter longer than 20 to 30 characters is anomalous. Traffic originating from non-DC source addresses to DC-destined UDP/389 should be treated as suspicious regardless of payload size.
Host (Exploitation Impact) Windows Application Event Log Event ID 1000 with lsass.exe as the faulting application and netlogon.dll as the faulting module is the direct crash indicator. Exception code 0xC0000409 confirms a GS cookie violation consistent with the stack overflow. This event followed by an unexpected reboot (Event ID 6008 on the next boot) is a high-confidence exploitation signal.
Service Recovery (Post-Crash) Windows System Log Event IDs 7034 and 7031 record unexpected Netlogon service termination. In steady-state DC operations these events are rare. A Netlogon crash outside of a scheduled maintenance window warrants immediate investigation into preceding network activity on UDP/389.
Post-Exploitation Hunting Look for unexpected child processes spawned from lsass.exe or the Netlogon service, anomalous Kerberos pre-authentication failures following a DC reboot, sudden bursts of TGT requests, and domain trust errors. These are indicators the attacker moved beyond DoS into credential access.
Remediation
Patch immediately. Apply the May 2026 Patch Tuesday updates across all domain controllers in the same maintenance window. Half-patched forests are not a defensible state for a pre-authentication DC vulnerability.
| Windows Server Version | KB Article |
|---|---|
| Server 2012 | KB5087470 |
| Server 2012 R2 | KB5087471 |
| Server 2016 | KB5087537 |
| Server 2019 | KB5087538 |
| Server 2022 | KB5087545 |
| Server 2025 | KB5087539 |
For legacy systems outside of ESU coverage, Acros Security (0patch) has released a micropatch that applies a one-instruction fix halving the maximum allowed username length, closing the overflow path without a full OS update.
Network hardening. Restrict inbound CLDAP traffic to UDP/389 on domain controllers to known internal subnets. Externally reachable DCs should be considered critically exposed. Where possible, block UDP/389 at the perimeter entirely.
If you suspect compromise. Rotate the KRBTGT account password twice (with a replication delay between rotations), reset all privileged account credentials, audit Group Policy Objects and admin account membership, and review authentication logs from the 30 days prior to detection. This is an Active Directory incident response workflow, not a single-server patching exercise.
MITRE ATT&CK Coverage
| Technique | ID |
|---|---|
| Exploit Public-Facing Application | T1190 |
| Network Denial of Service | T1498 |
| OS Credential Dumping: LSASS Memory | T1003.001 |
| Domain Trust Discovery | T1482 |
| Valid Accounts: Domain Accounts | T1078.002 |