The mechanics behind the headlines

Back
cybersecurity

When the Handshake Is the Hole: CVE-2026-41089 and the Netlogon Stack Overflow

A pre-authentication buffer overflow in Windows Netlogon puts every unpatched domain controller one crafted packet away from full domain compromise.

May 22, 2026 · 9 min read

The Setup: What Netlogon Actually Does

Every Windows domain runs on trust — not the philosophical kind, but a continuous, low-level protocol negotiation that happens before any user types a password. That negotiation is the job of the Netlogon Remote Protocol, formally specified as MS-NRPC.

MS-NRPC is an RPC interface that does three things domain environments cannot function without. First, it establishes and maintains secure channels — the authenticated, encrypted tunnels that domain-joined machines use to communicate with their domain controller. Second, it handles pass-through authentication, forwarding credential validation requests from member machines to the DC and returning authorization data — group memberships, policy assignments — back to the requester. Third, it manages DC-to-DC replication and machine account trust, including the periodic rotation of machine account passwords that keeps domain membership coherent over time.

The Netlogon service runs as SYSTEM — the highest privilege level on a Windows machine. It does this because it has to. Establishing secure channels, validating machine trust, and synchronizing domain data are all operations that require unfettered access to the local security infrastructure. That privilege level is not a vulnerability in itself. But it means that any code executing in the context of the Netlogon service inherits SYSTEM unconditionally. There is no secondary privilege step. Whatever runs there, runs as the most trusted process on the machine.

The Flaw — and Why It Is Not Zerologon

CVE-2026-41089 is a stack-based buffer overflow, classified as CWE-121, in the Windows Netlogon service. It fires during authentication request handling — specifically in the phase where the service is processing an incoming MS-NRPC request before any credentials have been validated. The caller supplies input that the service writes into a fixed-size buffer on the stack without checking whether the supplied data exceeds the buffer's allocated size. When it does, the overflow corrupts adjacent stack memory.

On a stack, adjacent memory includes the saved return address — the pointer that tells the CPU where to resume execution after the current function returns. Overwrite that pointer with an attacker-controlled value, and execution redirects to wherever the attacker points it. That is the mechanism: not a logic flaw, not a protocol design error, but a memory safety failure at the point where attacker input meets an unbounded write.

The detail that makes this particularly acute is that the overflow fires before authentication completes. The service does not need to recognize the sender. It does not need a valid machine account, a domain credential, or any prior trust relationship. The crafted request arrives on the network, enters the pre-auth processing path, and the overflow triggers before the service has anything to check the caller against.

Coverage of this vulnerability has frequently invoked Zerologon — CVE-2020-1472, the 2020 Netlogon flaw that achieved a CVSS score of 10.0. The comparison is understandable at the headline level: both vulnerabilities target MS-NRPC, both require no prior authentication, and both can result in full domain compromise. The technical roots, however, are entirely different.

Zerologon was a cryptographic design flaw. MS-NRPC's secure channel establishment used AES in CFB8 mode with a static, all-zero initialization vector. Because of how CFB8 propagates ciphertext, there was a 1-in-256 probability that any given plaintext block would encrypt to all-zero bytes under a random key. An attacker could exploit this statistically, repeatedly sending authentication attempts until the ciphertext aligned — roughly 256 attempts on average — to authenticate as any machine in the domain, including the DC itself. The flaw was in the cryptographic protocol specification, not in memory handling.

CVE-2026-41089 is memory corruption in a different part of the same protocol. The authentication cryptography is not involved. The failure is in input validation — a caller-controlled value written without bounds checking into a stack buffer. These are different bug classes, different attack techniques, and different mitigations. The shared blast radius does not make them the same vulnerability, and conflating them obscures what defenders actually need to understand about each one.

The Exploit Reality

A stack-based buffer overflow existing in a service is not the same as reliable remote code execution against that service. Modern Windows Server installations ship with multiple layers of exploit mitigation that exist precisely to make that gap as wide as possible.

Address Space Layout Randomization (ASLR) randomizes the base addresses of the executable, stack, heap, and loaded modules at each boot. An attacker who wants to overwrite the return address with a useful pointer — to shellcode, to a ROP gadget, to a known function — cannot hardcode that address. They need either a memory leak that reveals current layout, or a technique that does not depend on knowing exact addresses.

Data Execution Prevention (DEP) marks the stack as non-executable. Placing shellcode directly on the stack and jumping to it will trigger a hardware exception rather than executing the code. Attackers working around DEP typically use return-oriented programming (ROP), chaining together small sequences of legitimate code already present in loaded modules to achieve the desired effect without introducing new executable code.

Control Flow Guard (CFG) restricts indirect calls and jumps to a set of valid targets determined at compile time. ROP chains that rely on jumping to arbitrary gadgets within loaded modules are constrained by CFG's valid-call-target bitmap. Bypassing CFG from a pre-authentication, remote position requires either a CFG bypass technique or gadgets that happen to be valid CFG targets.

These mitigations do not make exploitation impossible. They make it substantially harder and more environment-specific. A reliable exploit targeting CVE-2026-41089 would need to address all three, which is why Microsoft's "Exploitation Less Likely" assessment is not unreasonable, and why ZDI's "potentially wormable" characterization should be read as a worst-case architectural risk rather than a confirmed capability. The wormable concern is real — an unauthenticated network-reachable overflow on a universally deployed service has the right shape for a worm — but turning that shape into a working weapon against patched mitigation stacks takes significant additional work.

What happens when an exploitation attempt fails matters operationally. The Netlogon service runs inside lsass.exe — the Local Security Authority Subsystem, the process responsible for authentication, credential storage, and security policy on every Windows machine. A stack overflow that does not achieve controlled execution will likely crash LSASS instead. When LSASS crashes on a domain controller, the DC reboots. An unexpected domain controller reboot — particularly one that cannot be explained by scheduled maintenance or a known update — is a loud signal. It will not tell you that CVE-2026-41089 was the cause, but it warrants immediate investigation as a potential exploitation attempt. Treat it as an incident until proven otherwise.

Exposure and Blast Radius

The network prerequisite for exploiting CVE-2026-41089 is simple: an attacker needs to send a crafted RPC request to a domain controller. That means reaching the DC on TCP port 135 — the RPC Endpoint Mapper, which negotiates which dynamic port the Netlogon service is actually listening on — or the dynamic high port assigned to the Netlogon endpoint.

In a well-segmented network, domain controllers are not directly reachable from user workstations or guest VLANs. In practice, many environments are not well-segmented. A compromised endpoint on the corporate LAN, a VPN-connected device authenticating through a split-tunnel configuration, or lateral movement from any perimeter foothold can all put an attacker in a position where DC ports are reachable. No valid Active Directory account is required. The attacker does not need to have authenticated to the domain, obtained a Kerberos ticket, or compromised any prior credential. Network reachability to the DC is the entire prerequisite.

Pre-authentication RCE on a domain controller is a single-step path to full domain control. There is no privilege escalation chain to climb, no secondary credential to obtain, no additional service to compromise. Code running as SYSTEM on a DC has direct access to the Active Directory database and the Kerberos infrastructure that every account in the domain depends on. From that position, an attacker can authenticate as any user, issue policy to any machine, and establish persistence that survives password resets and account deletions. The blast radius is the entire domain, and it is reachable in one step from the initial exploitation.

What to Do

Patch. The May 2026 cumulative update addresses CVE-2026-41089 across all affected Windows Server versions — 2012 through 2025. Domain controllers go first. If your change management process imposes a testing window before production DC patching, compress it. This is not a vulnerability to queue behind a standard monthly cycle.

Restrict DC reachability from untrusted segments while the patch window is open. Domain controllers need to remain reachable from domain-joined machines — blocking that traffic will break machine account authentication and lock users out. The target is non-domain and guest segments: verify that DC ports are not reachable from guest VLANs, contractor networks, or any segment where devices are not domain-joined. For environments with RPC filter capability, consider deploying RPC filters to restrict which endpoints are accessible from which sources. Review firewall rules on TCP 135 and the dynamic RPC port range with that scope in mind.

Monitor for exploitation attempts. Event IDs 5827 through 5831 were introduced after Zerologon to flag vulnerable cryptographic secure channel connections — they will not reliably catch a pre-authentication buffer overflow that crashes the parser before cryptographic negotiation begins. The more relevant signals here are: Event ID 1000 (Application Error) in the Application event log targeting lsass.exe, and unexpected system reboots logged as Event ID 1074 or 6008. A failed exploitation attempt against lsass.exe will crash the process and reboot the DC before any Zerologon-pattern event fires. Any unexplained DC reboot warrants investigation — treat it as an incident until proven otherwise.

No active exploitation of CVE-2026-41089 has been confirmed as of this writing.

  • *Affected versions: Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025 (all editions including Server Core).
  • Fix: May 2026 cumulative security update (KB details in the Microsoft Security Update Guide).*