Microsoft’s May 2026 Patch Tuesday — disclosed yesterday and covering 138 CVEs total — buries the most dangerous fix on the list near the bottom of the bulletin. CVE-2026-41089 is an unauthenticated, network-reachable remote code execution flaw in the Netlogon Remote Protocol (MS-NRPC). CVSS 9.8. Affects every supported Windows Server SKU acting as a domain controller, from Server 2019 through Server 2025. No mitigations short of the update — and active exploitation reportedly began within hours of the advisory landing.

If you administer Active Directory, this is the bug that should be on your screen right now. Stop reading and go patch your DCs. The rest of the article will still be here.

The bug

The vulnerable code path is in the Netlogon service’s handling of authentication requests. Microsoft’s advisory describes it as a stack-based buffer overflow; downstream analysis from Vulert and Windows News attribute the underlying defect to an integer overflow in the length-validation logic for a caller-supplied field in an MS-NRPC structure. The service trusts the length value without bounding it against the destination stack buffer, and a single crafted packet writes attacker-controlled bytes past the buffer boundary.

Because Netlogon RPC traffic typically traverses standard SMB named pipes (\\PIPE\NETLOGON over port 445) or the Netlogon endpoint over RPC dynamic ports, any host with line-of-sight to a domain controller on the network can deliver the exploit. There is no authentication step in front of the vulnerable handler — the overflow occurs during the protocol negotiation itself, before any credential exchange completes.

Successful exploitation yields code execution as NT AUTHORITY\SYSTEM on the domain controller. From there:

  • ntds.dit dump → every credential hash in the forest, including KRBTGT
  • KRBTGT hash → Golden Tickets, forest-wide persistence that survives password rotations
  • DC SYSTEM → GPO modification, simultaneous endpoint compromise via scheduled tasks pushed to every domain-joined host

This is the post-Zerologon comparison every writeup is making, and it is fair. Zerologon (CVE-2020-1472) required an authentication bypass first; CVE-2026-41089 skips that step entirely.

Affected versions

Every supported Windows Server SKU running the Netlogon service. The patches in the May 12 cumulative updates cover:

  • Windows Server 2019 (build 17763.x)
  • Windows Server 2022 (build 20348.x), including Server Core
  • Windows Server 2025 (build 26100.x), including Server Core

Member servers and workstations also receive the Netlogon update, but the exploitable surface is on the DC side. If you have read-only domain controllers (RODCs) bridging branch offices, they are in scope too.

Exploitation

As of this writing there is no public proof-of-concept in widely-distributed exploit kits, but multiple vendors are reporting traffic patterns consistent with internal reconnaissance against port 445 and the Netlogon endpoint mapper, post-patch-disclosure. Given the simplicity of the bug class (length validation around a single field) and the value of the target, weaponized exploits are a matter of days, not weeks. Treat any DC you cannot patch in the next 24 hours as already compromised, and plan accordingly.

There is no off-switch for Netlogon on a domain controller. The service is required for AD operation. Network ACLs that restrict port 445 and RPC dynamic ports to known administrative subnets will narrow the blast radius — and if you have not done this segmentation work already, the next Zerologon-equivalent CVE will hurt just as much.

What to do now

  1. Patch every domain controller first, ahead of any other Patch Tuesday work. May 2026 cumulative update via Windows Update or WSUS. Reboot is required.
  2. Audit Netlogon traffic for anomalies in the window between disclosure and patch completion. Look for unexpected connections to \\PIPE\NETLOGON from non-domain-member hosts, and for sudden RPC traffic spikes against your DCs.
  3. Rotate the KRBTGT password twice if you have any reason to suspect a DC was reachable from an untrusted network during the exposure window. Two rotations, with the prescribed delay between them, is the only way to invalidate Golden Tickets minted from a leaked hash.
  4. Verify the patch: post-update, the Netlogon binary netlogon.dll on a patched Server 2022 system should be version 10.0.20348.x for the May cumulative; cross-check against the KB article for your SKU.

The rest of the May Patch Tuesday haul is significant in its own right — CVE-2026-41096 (Windows DNS Client heap overflow, CVSS 9.8, RCE via a malicious DNS response) and CVE-2026-42898 (Dynamics 365 RCE, CVSS 9.9, any authenticated user) both warrant their own remediation tracks. But the Netlogon bug is the one that puts your entire identity infrastructure in scope from a single packet. Patch order matters.

References