Windows Netlogon stack-buffer overflow — unauthenticated remote RCE on domain controllers (CVSS 9.8, May 2026 Patch Tuesday)

cve · CVE-2026-41089

Coverage timeline

first 2026-05-13 → last 2026-06-14

Briefs

5 distinct

Sources cited

236

84 hosts

Sections touched

action_items, immediate_actions, trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-14CTI Weekly Summary — 2026-W24 (Jun 08 – Jun 14, 2026)
weekly_summaryConsolidated in § 1; CERT-EU 2026-007 confirmed ITW exploitation in the EU
2026-06-11CTI Daily Brief — 2026-06-11
updatesCERT-EU advisory 2026-007 (10 Jun) + CCB Belgium confirm ITW exploitation; per-version patched-build table.
2026-06-08CTI Weekly Summary — 2026-W23 (1–7 June 2026)
weekly_highest_impactWeekly recap: pre-auth SYSTEM RCE on DCs; Belgium CCB confirmed active exploitation; patch since 13 May.
2026-06-02CTI Daily Brief — 2026-06-02
immediate_actionsUPDATE: active ITW exploitation confirmed by CCB Belgium 2026-06-01 on the May Patch Tuesday Netlogon RCE; promoted to Immediate Action. Microsoft advisory not yet updated to mark exploited.
2026-05-13CTI Daily Brief — 2026-05-13
trending_vulnsMay 2026 Patch Tuesday; ZDI flags wormable-candidate; MDASH-discovered.
2026-05-13CTI Daily Brief — 2026-05-13
action_itemsAction item referencing in-brief detail.

Where this entity is cited

trending_vulns1
action_items1
immediate_actions1
weekly_highest_impact1
updates1
weekly_summary1

Source distribution

attack.mitre.org43 (18%)
thehackernews.com20 (8%)
bleepingcomputer.com13 (6%)
msrc.microsoft.com13 (6%)
helpnetsecurity.com11 (5%)
isc.sans.edu7 (3%)
microsoft.com6 (3%)
securityweek.com5 (2%)
other118 (50%)

Related entities

AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (May 2026 Windows CU / Xen XSA-490)
vulnerability-trendadvisory:amd-sb-7052×4
Atos TRC: hardware-gated Windows drivers made BYOVD-exploitable in software (PnP AddDevice / filter restacking / registry)
vulnerability-trenditem:atos-byovd-hardware-gate-bypass-2026×4
Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×3
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×2
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×2
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×2
Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1

External references

NVD · cve.org · CISA KEV

All cited sources (236)

Items in briefs about Windows Netlogon stack-buffer overflow — unauthenticated remote RCE on domain controllers (CVSS 9.8, May 2026 Patch Tuesday) (5)

CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU

From CTI Weekly Summary — 2026-W24 (Jun 08 – Jun 14, 2026) · published 2026-06-14 · view item permalink →

If you did nothing this week: every unpatched domain controller in your forest is a pre-auth remote-code-execution target as SYSTEM, and the exploitation is no longer hypothetical — CERT-EU confirmed in-the-wild abuse in its jurisdiction this week.

CVE-2026-41089 is a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon RPC service. It was disclosed and patched in the May/June cycle and tracked in the W23 weekly as a disclosure-and-patch story. This week CERT-EU published advisory 2026-007 (10 June) confirming active exploitation against unpatched DCs in the EU (CERT-EU 2026-007; daily 06-11). A domain controller compromise is full-domain compromise: the entire identity plane is in scope.

Patch every domain controller now — DCs are the one asset class where "patch window" is not a negotiation. Where patching lags, restrict Netlogon RPC exposure at the network layer and hunt for anomalous pre-authentication RPC traffic to DCs and for new SYSTEM-context processes on those hosts.

UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007

From CTI Daily Brief — 2026-06-11 · published 2026-06-11 · view item permalink →

UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) (CERT-EU, 2026-06-10). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.

An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks (BleepingComputer, 2026-06-01). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.

CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited

From CTI Weekly Summary — 2026-W23 (1–7 June 2026) · published 2026-06-08 · view item permalink →

If you did nothing this week: pre-auth remote-code execution as SYSTEM on every unpatched domain controller in your forest. Belgium's CCB confirmed active exploitation on 1 June. The May Patch Tuesday fix has been available since 13 May.

CVE-2026-41089 (CVSS 9.8) is a stack-based buffer overflow in the Windows Netlogon service (MS-NRPC), first covered as an emergency action on 2 June (daily 2026-06-02). A crafted NRPC request to a domain controller triggers a memory-corruption condition before any credential exchange, allowing an unauthenticated network attacker to execute code as SYSTEM (Microsoft MSRC; BleepingComputer, 2026-06-01). All currently supported Windows Server releases including Server 2025 are affected. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation; at the time of the daily brief Microsoft had not yet updated its advisory to reflect it.

The operational priority here is the target class — domain controllers — and the fact that Netlogon is necessarily reachable from every domain-joined machine in the estate. An attacker who has compromised any domain-joined workstation can move laterally to a DC without credentials if the patch has not been applied. Detection concepts: anomalous NRPC session counts from non-DC source addresses; Windows Security EID 4625 (authentication failures) spikes on DCs correlated with unexpected source IPs; network-layer alerts on NRPC/RPC-over-named-pipe from workstation segments. Patch immediately. If patching is delayed, restrict Netlogon/LDAP exposure to trusted hosts at the network layer.

UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited

From CTI Daily Brief — 2026-06-02 · published 2026-06-02 · view item permalink →

UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).

The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC. See §0 for the immediate action.

CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days)

From CTI Daily Brief — 2026-05-13 · published 2026-05-13 · view item permalink →

Microsoft shipped roughly 120 CVE fixes in the May 2026 cumulative updates (source counts vary 118–138 depending on whether developer-tools and Azure-only items are included); ZDI counts ~30 Critical, none under active exploitation at release (Tenable, 2026-05-12; Krebs on Security, 2026-05-12; ZDI, 2026-05-12). CVE-2026-41089 (Windows Netlogon, CVSS 9.8, CWE-121 stack buffer overflow): unauthenticated remote attacker over the network reaches the domain-controller Netlogon RPC endpoint; Microsoft marks "Exploitation Less Likely" but ZDI flags the pattern as wormable-candidate. CVE-2026-41096 (Windows DNS Client, CVSS 9.8, CWE-122 heap overflow in dnsapi.dll): a crafted DNS response from a MitM or rogue resolver yields code execution as NetworkService on every Windows host; defender exposure is anywhere a host might receive an attacker-influenced DNS reply. CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1, "Exploitation More Likely"): unauthenticated attacker forges an Entra ID credential to sign in to self-managed Atlassian; affects public-sector DevSecOps stacks using Microsoft's Entra-ID auth plugin. CVE-2026-42898 (Dynamics 365 On-Premises, CVSS 9.9): authenticated code injection with scope change — a rare privilege-boundary violation in this product family. Four Microsoft Word RCEs (CVE-2026-40361 / CVE-2026-40364 / CVE-2026-40366 / CVE-2026-40367, CVSS 8.4 each) have the Preview Pane as an attack vector and two are rated "Exploitation More Likely". MITRE ATT&CK mappings: T1210 Exploitation of Remote Services (Netlogon), T1071.004 Application Layer Protocol: DNS (DNS Client), T1078.004 Cloud Accounts (Entra forgery). Detection concepts: monitor Netlogon authentication-pattern anomalies (4624 Logon Type 3 to DCs from unexpected internal sources, paired with 4769 ticket-request anomalies); alert on outbound DNS to non-corporate resolvers from DC and member hosts; audit Atlassian SSO plugin version inventory; disable Outlook Preview Pane as an interim mitigation for Word RCEs. Hardening: prioritise DCs first (Netlogon is on the DC boundary); inventory dnsapi.dll patch state across the fleet; inventory self-managed Atlassian deployments and apply the SSO plugin update before the next work week.