Windows Netlogon Stack Buffer Overflow (CVE-2026-41089): Belgian Government Issues Exploitation Warning

nick

Windows Netlogon Stack Buffer Overflow (CVE-2026-41089): Belgian Government Issues Exploitation Warning

by

A critical stack-based buffer overflow vulnerability in the Windows Netlogon service, tracked as CVE-2026-41089, allows unauthenticated attackers to execute arbitrary code over the network on all supported versions of Windows Server. The vulnerability carries a CVSS score of 9.8 and affects every domain-joined Windows Server from 2012 through 2025. The Belgian government’s Centre for Cybersecurity (CCB) has issued an urgent warning about active exploitation, and organisations should treat this as an emergency-patch item — particularly for domain controllers and internet-facing servers.

What Is the Vulnerability?

CVE-2026-41089 is a stack-based buffer overflow vulnerability in the Windows Netlogon service. Netlogon is the core protocol responsible for domain authentication between domain controllers and member servers in Active Directory environments — it runs on every Windows domain-joined machine and is fundamental to Windows enterprise identity infrastructure. The vulnerability allows an unauthenticated remote attacker to send a specially crafted RPC request to the Netlogon service, triggering a buffer overflow that can lead to arbitrary code execution in the context of the service.

The vulnerability is classified under CWE-121 (Stack-Based Buffer Overflow):

  • CVSS v3.1 Score: 9.8 (Critical)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

The vulnerability affects every supported version of Microsoft Windows Server:

  • Windows Server 2012 and 2012 R2
  • Windows Server 2016 — all builds prior to 10.0.14393.9140
  • Windows Server 2019 — all builds prior to 10.0.17763.8755
  • Windows Server 2022 — all builds prior to 10.0.20348.5074
  • Windows Server 2022 23H2 — all builds prior to 10.0.25398.2330
  • Windows Server 2025 — all builds prior to 10.0.26100.32772

Because Netlogon runs on every domain-joined Windows Server, the scope of affected systems is essentially the entire Windows Server estate of any organisation using Active Directory. Domain controllers are the highest-value targets but all domain-joined servers are potentially exploitable.

Is It Being Exploited in the Wild?

Yes — exploitation is confirmed. The Belgian government’s Centre for Cybersecurity (CCB) has issued an urgent public warning specifically citing active exploitation of CVE-2026-41089. While full technical details of the in-the-wild attacks have not been publicly disclosed by the CCB at the time of writing, the decision by a national cybersecurity authority to issue a dedicated warning is a strong signal of confirmed, active threat activity. The vulnerability’s characteristics — network-exploitable, no authentication required, no user interaction, and CVSS 9.8 — make it an ideal target for automated scanning and mass exploitation. A successful compromise of a domain controller via the Netlogon service gives the attacker control over the entire Active Directory domain, including the ability to create domain administrator accounts, extract credential hashes, and move laterally to any domain-joined system. Organisations should treat this as actively exploited and patch immediately.

What Is the Fix?

Microsoft has released security updates addressing CVE-2026-41089. The fix is included in the latest Windows cumulative update. The official Microsoft Security Response Center advisory is available at:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089

Apply the latest cumulative update to reach the following minimum build numbers:

  • Windows Server 2016: Build 10.0.14393.9140 or later
  • Windows Server 2019: Build 10.0.17763.8755 or later
  • Windows Server 2022: Build 10.0.20348.5074 or later
  • Windows Server 2022 23H2: Build 10.0.25398.2330 or later
  • Windows Server 2025: Build 10.0.26100.32772 or later

Recommendations

Patch domain controllers today. This is the highest-priority action. Domain controllers process Netlogon authentication for the entire domain — a compromised domain controller is a compromised domain. Apply the latest cumulative update on all domain controllers immediately, then proceed to member servers. The Belgian government warning and CVSS 9.8 score should override normal change control windows for this specific vulnerability.

Audit your Windows Server inventory. Identify every domain-joined Windows Server in your environment — including branch office servers, backup domain controllers with infrequent patching cycles, and servers in segmented or air-gapped networks that may not receive automatic updates. Check the installed build number against the fixed versions listed above.

Monitor Netlogon activity for signs of compromise. After patching, review Windows Security event logs and Netlogon service logs for anomalous RPC requests, authentication failures with unusual patterns, and unexpected service restarts. Enable enhanced Netlogon logging if not already configured — this provides visibility into RPC calls targeting the service and can help identify attempted or successful exploitation.

Restrict network access to the Netlogon RPC service. While patching is the only complete remediation, ensure that RPC traffic to domain controllers is restricted to authorised networks and clients. Netlogon RPC communication should not be accessible from the internet or untrusted network segments. Review firewall rules and network segmentation to confirm that RPC ports (TCP 135, 445, and the dynamic RPC range) are only exposed where operationally necessary.

Treat this as part of your Active Directory security hardening programme. CVE-2026-41089 follows CVE-2020-1472 (Zerologon) as another critical Netlogon vulnerability. These recurring vulnerabilities in the domain authentication protocol highlight the importance of keeping domain controllers on the fastest possible patch cycle and implementing defence-in-depth measures such as RPC filtering, network segmentation, and privileged access workstations for domain administration.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 2, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!