A single UDP packet on port 389. No authentication. No interaction. And the domain controller goes down. CVE-2026-41089 in Windows Netlogon is not a theoretical risk — active exploitation was confirmed by CCB Belgium on May 29. The patch has been available since May 12. And most DCs remain unpatched.
The bug: buffer overflow from unvalidated size
The Windows Netlogon Remote Protocol (MS-NRPC) is the service that authenticates users and machines in Active Directory. It runs on every domain controller. You cannot disable it without breaking the domain.
The attacker sends a crafted CLDAP SearchRequest to UDP 389. The "User" field accepts up to 130 wide chars. Netlogon serializes the response into a 528-byte stack buffer using the function NetpLogonPutUnicodeString — which does not receive the total buffer size as a parameter. When the DC's DNS domain name exceeds 50 characters, the combined data overflows the 528-byte buffer. The overflow corrupts the GS stack cookie. LSASS crashes with code 0xc0000409. The DC reboots in 60 seconds.
528 bytes of buffer, one function without a size parameter, and the most sensitive AD service crashes with an unauthenticated UDP packet. Buffer overflow by unvalidated size — the same class of bug for 20 years.
The technical detail: controllable size, uncontrollable content
The bytes that overflow are DNS names from the server, not data injected by the attacker. In practice, the attacker controls the size of the overflow, not the content. This means RCE is unlikely in the current state — but DoS is trivial.
Crashing LSASS on a domain controller is not a minor incident. LSASS hosts all Kerberos and NTLM authentication for the domain. When LSASS goes down, the DC stops authenticating. When the DC reboots, the domain loses authentication for 60 seconds — or longer, if LSASS does not come up clean. In environments with a single DC, this means a complete outage.
But CCB Belgium confirmed active exploitation. And Microsoft classified the vulnerability as wormable. Unauthenticated, network-reachable, and targeting DCs — that is what matters, regardless of RCE versus DoS.
Who is vulnerable: all Windows DCs
Every Windows Server acting as a domain controller is affected: 2012, 2012 R2, 2016, 2019, 2022, and 2025, including Server Core. Windows 10 and 11 are not affected. Non-DC servers are not either.
DCs with short DNS names — like example.com — are not vulnerable to the current PoC. DCs with FQDNs of 50+ characters are. This includes environments with long subdomain chains, like dc01.corp.company.com.br, or naming conventions that accumulate DNS domains.
The patch is KB5089549, available in the May 2026 cumulative updates. Feature_404993339 replaces NetpLogonPutUnicodeString with RtlStringCbCopyExW using a byte-count budget — the function now knows the buffer size before writing.
Immediate mitigation: patch, segment, and monitor
The patch is the fix. There is no workaround that replaces it. Apply KB5089549 to all DCs. Do not wait for the next cycle. DCs first — always.
If you cannot patch right now, the mitigations are clear:
- Restrict MS-NRPC on the network. DCs must not be reachable from user VLANs, DMZ, or VPN pools. Host firewalls and network segmentation reduce the attack surface.
- Check your DCs' DNS names. 50+ characters is immediate risk. If any DC exceeds the limit, prioritize patching that server.
- Monitor LSASS crashes. WER IDs 1000/1001 in
netlogon.dll, code0xc0000409, and anomalous CLDAP traffic on UDP port 389 are indicators of exploitation.
These mitigations are not optional. They are the minimum any infrastructure with Windows DCs should have — with or without an active CVE.
The lesson: same bug class for 20 years
Buffer overflow from unvalidated size. This is the same class of vulnerability that has existed in Windows for two decades. The function NetpLogonPutUnicodeString does not receive the buffer size as a parameter. It writes until it runs out of space. When the space runs out, the stack corrupts. LSASS crashes. The DC reboots.
The patch fixes the function. But it does not fix the mindset that allows functions without size validation to reach production in critical authentication services. MS-NRPC is the protocol that authenticates the entire domain. It cannot have functions that write to buffers without knowing the size.
At Tech86, we audit Windows Server infrastructure and Active Directory with a focus on authentication attack surfaces. If your DCs are exposed, you need to know before the next packet arrives.