01 · The Real Story
This is less a wide-open front door and more a brittle fire alarm wire inside the server room
CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon tied to how a domain controller handles CLDAP DC locator ping responses. Microsoft and NVD describe it as unauthenticated network RCE, while Microsoft’s May 12, 2026 research post and Aretiq’s May 13, 2026 write-up place the bug in netlogon.dll during CLDAP User= filter processing on UDP/389. Affected platforms span Windows Server 2012, 2012 R2, 2016 before 10.0.14393.9140, 2019 before 10.0.17763.8755, 2022 before 10.0.20348.5074, 2022 23H2 before 10.0.25398.2330, and 2025 before 10.0.26100.32772.
Vendor severity overstates the practical exposure. The big friction is that this lands on *domain controllers* and, per 0patch and Aretiq, exploitation depends on local-network reach to UDP/389 plus a sufficiently long DNS domain/host naming combination; Aretiq also argues present research more cleanly demonstrates LSASS crash/reboot than reliable attacker-controlled RCE because overwritten bytes are largely server-derived and modern stack protections matter. That still leaves meaningful enterprise risk because one reachable DC is a crown-jewel target, but it is not the same thing as an internet-scale wormable flaw.
"Critical on paper, but real-world reach is narrower: internal-network-to-DC plus a naming edge case keeps this out of top-tier panic."
02 · The Attack Path
3 steps from start to impact.
STEP 01
Get network reach to a domain controller
The attacker needs routed access to a Windows domain controller that will answer CLDAP DC locator requests on UDP/389. In practice this usually means an internal foothold, flat VPN access, or a badly exposed DC segment rather than true internet-wide reach. Reference: Microsoft Security Blog identifies an unauthenticated CLDAP path in
netlogon.dll; 0patch explicitly says the attacker is in the local network.Conditions required:
- Attacker can send UDP traffic to port 389 on a domain controller
- Target is an AD domain controller, not just any Windows server
- ACLs, segmentation, or firewalls do not block CLDAP from the attacker location
Where this breaks in practice:
- Most enterprises do not intentionally expose DC CLDAP broadly to the internet
- Requiring internal network reach implies a prior compromise stage in many environments
- Modern segmentation or tiering often limits who can talk directly to DCs
Detection/coverage: External scanners often miss the real condition because reachability to UDP/389 on a DC is environment-specific. Detection coverage is strongest through asset role tagging plus patch/build checks rather than unauthenticated remote probing.
STEP 02
Trigger the overflow with a crafted CLDAP request
A weaponized CLDAP packet, such as the reverse-engineered PoC discussed by Aretiq and referenced by 0patch, abuses the DC locator response path. The bug sits in response construction, where attacker-controlled request content and server-side naming data are serialized into a fixed stack buffer without sufficient bounds checking.
Conditions required:
- Attacker can generate a malformed CLDAP request
- Target naming configuration is long enough to push response construction over the buffer limit
Where this breaks in practice:
- Aretiq states short domain names can fall out of the vulnerable condition
- This is not a generic 'all DCs pop on first packet' situation; target-specific naming matters
- Public research so far centers on controlled crash reproduction, not mature commodity exploitation
Detection/coverage: Network IDS may flag malformed LDAP/CLDAP traffic if signatures appear, but generic scanners are unlikely to validate the naming prerequisite safely. PoC-driven validation is possible in lab conditions, not great for production.
STEP 03
Crash LSASS/Netlogon and potentially pursue code execution
Aretiq reports a single crafted packet can crash LSASS and force a domain controller reboot, which is already operationally serious for authentication infrastructure. Microsoft scores full RCE, but current public analysis notes stack cookies and server-derived overflow bytes as obstacles to reliable code execution, making demonstrated impact more credibly *DoS-first* today with RCE risk still plausible.
Conditions required:
- The crafted packet reaches a truly affected and triggerable build
- The server processes the vulnerable CLDAP response path
Where this breaks in practice:
- Reliable code execution has more engineering friction than the CVSS suggests
- Crash-only outcomes are easier than controlled hijack outcomes in the public write-ups
- HA DC design can reduce business impact if multiple healthy DCs remain online
Detection/coverage: Watch for LSASS or Netlogon crashes, unexpected DC reboots, Event ID 1000-style application faults, and sudden LDAP/Netlogon service interruptions. Vulnerability scanners should reliably identify exposure via KB/build state on DCs.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No confirmed active exploitation in the source set reviewed. Not KEV-listed as of the CISA catalog checked, and Microsoft’s May 2026 disclosures did not claim exploitation. |
|---|---|
| Proof-of-concept availability | A reverse-engineered PoC is referenced publicly: 0patch says the Microsoft patch was reverse engineered and turned into a proof-of-concept by Aretiq AI. That is meaningful even without a mass-market GitHub exploit kit. |
| EPSS | 0.129% (32nd percentile) per GitHub Advisory Database, aligning with the user-provided low EPSS and arguing against immediate mass exploitation pressure. |
| KEV status | Not listed in CISA KEV in the reviewed catalog. No federal exploitation deadline signal today. |
| CVSS vector reality check | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H assumes straightforward unauthenticated network RCE with high impact. Real-world friction is higher because the vulnerable population is effectively domain controllers with CLDAP reachability, and public research adds a long-name configuration prerequisite. |
| Affected versions | NVD lists Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025 as affected, with build cutoffs for supported releases and patch KBs published for older lines. |
| Fixed versions | Build-based fixes: 2016 10.0.14393.9140, 2019 10.0.17763.8755, 2022 10.0.20348.5074, 2022 23H2 10.0.25398.2330, 2025 10.0.26100.32772. Rapid7 also maps legacy fixes to KB5087470 for Server 2012 and KB5087471 for Server 2012 R2. |
| Exposure and scanability | Best current inference: reachability is usually internal, not internet-broad. The path is CLDAP to a domain controller on UDP/389; that sharply narrows exposed population compared with generic Windows RCEs. This is an inference from the Microsoft, Aretiq, and 0patch technical descriptions. |
| Disclosure date | 2026-05-12 via Microsoft/NVD. |
| Reporting researcher / origin | Microsoft’s May 12, 2026 security blog says the bug was found by Microsoft’s internal MDASH agentic security system. Aretiq later published reverse-engineering and impact analysis. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to HIGH (7.4/10)
The single biggest reason this is HIGH instead of CRITICAL is attacker position: practical exploitation requires reachability to a domain controller over CLDAP, which usually means internal network access or a badly segmented environment. That sharply reduces exposed population, but the remaining blast radius is still serious because disruption or compromise of a DC affects authentication at enterprise scale.
HIGH Affected version and patch/build mapping
MEDIUM Real-world exploitation friction from public technical analysis
MEDIUM Likely impact being DoS-first rather than reliable RCE today
Why this verdict
- Internal-network requirement cuts the score down: 0patch explicitly frames the attacker as being in the local network, which implies post-initial-access in many enterprises rather than internet-scale exploitability.
- Exposed population is narrow: this matters on domain controllers answering CLDAP, not the average Windows endpoint or random member server, so the reachable estate is much smaller than the raw CVSS suggests.
- Target-specific naming friction is real: Aretiq says exploitability depends on sufficiently long DNS domain/host naming, which means some otherwise affected DCs do not cleanly satisfy the trigger condition.
- Public impact evidence is stronger for crash/reboot than clean RCE: Aretiq highlights stack-cookie and overwrite-content constraints that make reliable code execution harder than a vendor 9.8 implies.
- But the crown-jewel blast radius keeps it elevated: if a reachable DC can be crashed or eventually popped pre-auth, that is still a bad day for authentication, lateral movement, and enterprise resilience.
Why not higher?
This is not a broad internet-facing Windows RCE in the way defenders hear '9.8 pre-auth' and think worm pressure. The chain narrows quickly: DC-only relevance, CLDAP reachability, and a naming-dependent trigger all compound downward, and the public research reviewed does not yet establish turnkey reliable RCE in the field.
Why not lower?
A no-auth packet path into a domain controller is never routine backlog material. Even if today’s most credible public outcome is forced LSASS crash and reboot, that still threatens authentication availability on crown-jewel systems and offers a high-value target for exploit maturation.
05 · Compensating Control
What to do — in priority order.
- Restrict CLDAP to domain controllers — Use host firewalls, ACLs, and segmentation to allow UDP/389 to DCs only from approved management networks, member servers, and client segments that genuinely need directory discovery. For a HIGH verdict, deploy this within 30 days to reduce reachable population before patch completion.
- Audit DC network exposure — Enumerate every DC and verify which networks can reach UDP/389, including VPN pools, server VLANs, VDI ranges, and partner links. This closes the biggest real-world amplifier here — unnecessary east-west reachability — and should be completed within 30 days.
- Monitor LSASS and Netlogon instability — Alert on LSASS crashes, Netlogon service faults, unexpected DC reboots, and bursts of anomalous UDP/389 traffic. This will not prevent exploitation, but it gives you immediate signal if someone is testing or weaponizing the path while you work through remediation within the 180-day patch window.
- Prioritize flat-network and Tier-0 segments — Patch DCs first in enclaves where workstations, jump hosts, or third-party connections can route to Tier 0. That is where the internal-network prerequisite is easiest for an attacker to satisfy; use compensating restrictions within 30 days and finish vendor remediation within 180 days.
What doesn't work
- MFA does nothing for this path because the bug is pre-auth over the network and does not depend on credential theft first.
- Email filtering and browser hardening are irrelevant because there is no user-interaction stage in the exploit chain.
- Endpoint AV alone is not enough because the initial trigger is a crafted network packet handled by the DC service before any file-based control matters.
06 · Verification
Crowdsourced verification payload.
Run this on each Windows Server target host, ideally the domain controllers themselves, from an elevated PowerShell session. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-CVE-2026-41089.ps1; it needs local admin rights to read OS build and installed hotfix data.
# check-CVE-2026-41089.ps1
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
$ErrorActionPreference = 'Stop'
function Write-Result {
param(
[string]$State,
[string]$Message,
[int]$Code
)
Write-Output "$State - $Message"
exit $Code
}
function Get-OsBuildString {
$cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
$build = [int]$cv.CurrentBuildNumber
$ubr = [int]$cv.UBR
return [PSCustomObject]@{
ProductName = $cv.ProductName
DisplayVersion = $cv.DisplayVersion
ReleaseId = $cv.ReleaseId
Build = $build
UBR = $ubr
FullBuild = "$build.$ubr"
}
}
function Test-IsDomainController {
$cs = Get-CimInstance Win32_ComputerSystem
return ($cs.DomainRole -eq 4 -or $cs.DomainRole -eq 5)
}
function Test-HotFixInstalled {
param([string]$Kb)
try {
$null = Get-HotFix -Id $Kb -ErrorAction Stop
return $true
} catch {
return $false
}
}
try {
$os = Get-OsBuildString
$isDC = Test-IsDomainController
if (-not $isDC) {
Write-Result -State 'UNKNOWN' -Message "Host is not a domain controller (build $($os.FullBuild)); this check is intended for DC exposure." -Code 2
}
$product = $os.ProductName
$build = $os.Build
$ubr = $os.UBR
switch ($build) {
14393 {
if ($ubr -ge 9140) {
Write-Result 'PATCHED' "Windows Server 2016 build $($os.FullBuild) meets fixed level 14393.9140." 0
} else {
Write-Result 'VULNERABLE' "Windows Server 2016 build $($os.FullBuild) is below fixed level 14393.9140." 1
}
}
17763 {
if ($ubr -ge 8755) {
Write-Result 'PATCHED' "Windows Server 2019 build $($os.FullBuild) meets fixed level 17763.8755." 0
} else {
Write-Result 'VULNERABLE' "Windows Server 2019 build $($os.FullBuild) is below fixed level 17763.8755." 1
}
}
20348 {
if ($ubr -ge 5074) {
Write-Result 'PATCHED' "Windows Server 2022 build $($os.FullBuild) meets fixed level 20348.5074." 0
} else {
Write-Result 'VULNERABLE' "Windows Server 2022 build $($os.FullBuild) is below fixed level 20348.5074." 1
}
}
25398 {
if ($ubr -ge 2330) {
Write-Result 'PATCHED' "Windows Server 2022 23H2 build $($os.FullBuild) meets fixed level 25398.2330." 0
} else {
Write-Result 'VULNERABLE' "Windows Server 2022 23H2 build $($os.FullBuild) is below fixed level 25398.2330." 1
}
}
26100 {
if ($ubr -ge 32772) {
Write-Result 'PATCHED' "Windows Server 2025 build $($os.FullBuild) meets fixed level 26100.32772." 0
} else {
Write-Result 'VULNERABLE' "Windows Server 2025 build $($os.FullBuild) is below fixed level 26100.32772." 1
}
}
9200 {
if ($product -match '2012 R2') {
if (Test-HotFixInstalled 'KB5087471') {
Write-Result 'PATCHED' 'Windows Server 2012 R2 has KB5087471 installed.' 0
} else {
Write-Result 'VULNERABLE' 'Windows Server 2012 R2 is missing KB5087471.' 1
}
} else {
if (Test-HotFixInstalled 'KB5087470') {
Write-Result 'PATCHED' 'Windows Server 2012 has KB5087470 installed.' 0
} else {
Write-Result 'VULNERABLE' 'Windows Server 2012 is missing KB5087470.' 1
}
}
}
default {
Write-Result 'UNKNOWN' "Unsupported or unrecognized server build $($os.FullBuild) ($product). Validate manually against vendor guidance." 2
}
}
} catch {
Write-Result 'UNKNOWN' $_.Exception.Message 2
}
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: treat this as a HIGH issue for domain controllers, not every Windows server. Use the noisgate mitigation SLA to lock down unnecessary UDP/389 reachability and confirm DC segmentation within 30 days, then use the noisgate remediation SLA to roll the Microsoft fixes across affected DCs within 180 days; if you discover any DCs broadly reachable from user or partner networks, pull those to the front of the queue immediately because that is the main real-world amplifier here.
Sources
- NVD entry for CVE-2026-41089
- Microsoft Security Blog: MDASH findings including CVE-2026-41089
- Aretiq AI technical analysis of CVE-2026-41089
- 0patch blog on micropatches for CVE-2026-41089
- Rapid7 vulnerability database entry with KB mappings
- CISA Known Exploited Vulnerabilities Catalog
- GitHub Advisory Database entry for CVE-2026-41089
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.