CVE-2026-45648: Windows Active Directory Domain Services Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? A domain‑authenticated attacker with access to the NSPI RPC interface can provide crafted inputs that trigger an out‑of‑bounds write in the directory service process, leading to memory corruption/remote code execution. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. How could an attacker exploit the vulnerability? An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.

Affected Products (4)

Windows

• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2025

Security Updates (2)

• 5094128
• 5094125

Acknowledgments

Anonymous

Revision History

• 2026-06-09: Information published.