CVE-2026-41089: Windows Netlogon Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller. If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access.

Affected Products (13)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (9)

• 5087538
• 5087545
• 5087424
• 5087539
• 5087423
• 5087541
• 5087537
• 5087470
• 5087471

Acknowledgments

Windows Attack Research &amp; Protection (WARP) with <a href="https://microsoft.com/">Microsoft</a>

Revision History

• 2026-05-12: Information published.