Netlogon CVE-2026-41089: 0-Click Domain Controller RCE

When Microsoft pushed the May 2026 Patch Tuesday on May 12, CVE-2026-41089 sat near the top of the bulletin: a stack based buffer overflow in Windows Netlogon, CVSS 9.8, exploitable over the network with no authentication and no user interaction. Microsoft's exploitability assessment said "Less Likely." Belgium's Centre for Cybersecurity disagreed on June 1, 2026, posting a public warning that the bug is "now actively exploited in the wild and could lead to RCE." For organizations that took twenty days to schedule a domain controller reboot, the window between "low risk patch" and "production fire" closed quickly.

Key Takeaways

• CVE-2026-41089 is a stack based buffer overflow in the Windows Netlogon RPC service rated CVSS 9.8, discovered and reported by Microsoft's Windows Attack Research and Protection (WARP) team and patched on May 12, 2026.
• Exploitation requires only network reachability to a Windows domain controller. No credentials, no authentication, no user interaction, and no on host code execution are required.
• The Centre for Cybersecurity Belgium publicly confirmed active in the wild exploitation on June 1, 2026, twenty days after the patch shipped.
• Every supported Windows Server release is vulnerable, including Windows Server 2012, 2016, 2019, 2022, and the current Windows Server 2025.
• Successful exploitation grants code execution inside the LSASS context of a domain controller, which is functionally equivalent to a full Active Directory forest compromise.

What Is CVE-2026-41089?

CVE-2026-41089 is a stack based buffer overflow inside the Windows Netlogon Remote Protocol (MS-NRPC) service, the same service that handles secure channel setup between Windows machines and Active Directory domain controllers. The vulnerable code path mishandles the length of a field inside a crafted Netlogon RPC request. An attacker who can reach TCP port 445 or the RPC endpoint mapper on the target sends a malformed message; the service writes past the bounds of a stack allocated buffer; the saved return address gets overwritten; execution diverts into attacker controlled bytes.

Microsoft's Windows Attack Research and Protection team found the bug internally and submitted it through MSRC. The advisory shipped on May 12, 2026 with the security update bundle, and Microsoft rated exploitability as "Less Likely" in the original assessment because the overflow target is constrained and exploit reliability across different Windows builds requires careful gadget chaining. That rating did not survive contact with the offensive community.

Why Does This Bug Matter More Than Most Netlogon CVEs?

Netlogon has shown up in security advisories before. ZeroLogon (CVE-2020-1472) was an authentication bypass that let an unauthenticated attacker set the domain controller's machine account password to all zeros. PetitPotam, NetBypass, and related coercion attacks have used Netlogon as a relay primitive. CVE-2026-41089 is a strict superset of those threats. It is not an authentication bypass; it is unauthenticated code execution inside the process that signs Kerberos tickets and holds the krbtgt secret.

Once an attacker is executing code as the Netlogon service on a domain controller, every subsequent step is housekeeping. Dump LSASS to extract the krbtgt hash. Forge a Golden Ticket valid for ten years. Push a new GPO that runs a payload on every domain joined machine at next reboot. Create a new Domain Admin account. There is no remaining trust boundary between the attacker and the directory; the attacker is inside the directory.

Why Did Active Exploitation Start So Fast?

Three factors compressed the patch to exploit window. First, the patch itself diffs cleanly. Comparing the pre and post May 12 binaries of netlogon.dll exposes the new length check almost immediately, and N day exploit developers routinely bin diff Patch Tuesday output by Tuesday evening. Second, the vulnerable RPC service is exposed by every domain controller on every internal network on the planet; there is no obscure target population. Third, the Microsoft "Less Likely" rating reduced the priority on many corporate patch backlogs, leaving a large pool of unpatched DCs by the time exploitation tooling matured.

Belgium's CCB advisory did not name a specific threat actor or supply indicators of compromise. The notice posted on June 1 simply confirmed in the wild exploitation and urged immediate patching. National CSIRT advisories of this shape generally indicate either telemetry from member state SOCs or a credible private channel report, not open source observation.

How Should Defenders Respond Right Now?

Patching every domain controller is the only durable fix. The May 12, 2026 Microsoft cumulative updates address CVE-2026-41089 across all supported Windows Server versions. Coordinated maintenance windows are preferable to staggered DC patching because a single unpatched DC in a multi DC forest is enough for an attacker to compromise the whole forest and then propagate.

Until the patch is fully rolled out:

• Block Netlogon RPC traffic at the network layer wherever it does not need to traverse. Domain controllers usually do not need to accept Netlogon RPC from user subnets or wireless networks; segment them.
• Turn on Active Directory advanced auditing for event IDs 5805 (Netlogon trust failure), 4742 (computer account changed), and 4624 logon events from machine accounts on unusual source IPs.
• Watch for unexpected lsass.exe crashes or Netlogon service restarts in the System event log on domain controllers. A failed exploit attempt frequently crashes the service; a successful one does not.
• For legacy out of support Windows Server installations, Acros Security's 0patch service is shipping a micropatch for CVE-2026-41089 that addresses the bug without requiring a Microsoft cumulative update.

What About Detection After the Fact?

Assume some unpatched DCs were touched between May 12 and June 1. Detection retrospectively is harder than detection in flight because a successful attacker on a DC has the ability to clean event logs and rotate the krbtgt key on their own schedule. Three artifacts tend to survive even competent operators: SYSVOL replication anomalies introduced when a forged ticket touches GPO files, unusual NTDS.dit access patterns recorded in the directory service event log, and DPAPI master key reads from accounts that never previously enumerated them.

For Active Directory recovery, the safest assumption after suspected compromise is that the krbtgt key is in the attacker's possession. Rotate krbtgt twice with the recommended delay, rotate all service account passwords, and force a domain wide TGT and TGS reissue. Anything short of that leaves the attacker a re entry path.

How Does This Fit the 2026 Edge Bug Pattern?

Netlogon is technically an internal service, not an edge appliance, but the pattern of "patched silently, weaponized loudly" is the same one that hit edge VPNs and identity providers earlier this year. The Palo Alto CVE-2026-0257 authentication bypass went from public disclosure to mass exploitation in five days. The Cisco SD-WAN CVE-2026-20182 auth bypass exploited by UAT-8616 got a three day federal patch deadline. CVE-2026-41089 fits the same arc: a quiet disclosure followed by a national CSIRT advisory three weeks later.

Per Microsoft's advisory, the assessed exploitability rating has now been corrected. CISA has not yet added CVE-2026-41089 to its Known Exploited Vulnerabilities catalog as of the Belgium advisory, but a KEV listing with a sub two week federal deadline is the most likely next step.

What Happens Next?

Two near term outcomes. Public proof of concept code is likely within days; the bin diff is straightforward and the prize is the largest of any 2026 Windows bug to date. Patch coverage in regulated industries will catch up quickly under KEV pressure; coverage in small business and education environments, which run unpatched domain controllers for months at a time, will not. Expect a second exploitation curve aimed at those slower targets through the summer.

Longer term, the Netlogon RPC surface is a recurring problem. Microsoft has now shipped three high severity unauthenticated bugs in this protocol since 2020. Defenders should treat unrestricted Netlogon RPC reachability as a structural risk and segment domain controllers accordingly, independent of any individual CVE.