Micropatches released for Windows Netlogon Remote Code Execution Vulnerability (CVE-2026-41089)

 

May 2026 Windows Updates brought a patch for CVE-2026-41089, a remotely exploitable issue on Windows Server acting as a domain controller. Under certain conditions, an unauthenticated attacker in local network could send a malicious request to the server and cause memory corruption - which could potentially be enhanced into arbitrary code execution.

The vulnerability was found internally by Microsoft, but the official patch was reverse engineered and turned into a proof-of-concept by Aretiq AI. This, with a bit of our own effort, allowed us to reproduce the issue and create patches for legacy Windows users.

The Vulnerability 

This is a pre-authentication remotely exploitable vulnerability in the Netlogon service on a Windows Server acting as a domain controller. A single carefully crafted UDP packet to the CLDAP DC-locator port (UDP/389) overflows a stack buffer inside the LSASS process, corrupts the memory, and crashes the process. The server reboots about 60 seconds later.

There are multiple issues in the vulnerable code, leading to a buffer overrun, the most problematic being that maximum string length passed to the NetpLogonPutUnicodeString function was interpreted as bytes but treated as WCHARs, which effectively doubled their length.

Microsoft's Patch

Microsoft fixed this issue with multiple code changes, hardening the whole NetpLogonPutUnicodeString function. They replaced a manual string copy loop with a safer function call, zero-initialized the buffer, and changed the size argument from being interpreted as WCHARs to bytes.

Our Patch

Our patch takes a more minimal approach and only halves the maximum string size for the user-supplied username. This is the only attacker-controlled value, so fixing other places in the same code would add no value. Our patch is therefore a single CPU instruction: mov edx, 0x40.

Let's see our patch in action. First, with 0patch disabled, the attacker sends a malicious UDP packet to the server and crashes the LSASS process. With 0patch enabled, sending the same packet has no negative effect.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows Server 2008 R2 - fully updated with no ESU or with ESU 1, ESU 2, ESU 3 or ESU 4
2. Windows Server 2012 - fully updated with no ESU or with ESU 1
3. Windows Server 2012 R2 - fully updated with no ESU or with ESU 1 

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Aretiq AI for sharing their analysis and proof of concept, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Shell Link Processing Spoofing Vulnerability (CVE-2026-25185)

 

March 2026 Windows Updates brought a patch for CVE-2026-25185, a flaw in Windows Explorer's processing of .LNK files that allowed an attacker to force user's computer to authenticate to a malicious server when the user viewed a shared folder.

The vulnerability was found by TrustedSec researcher Christopher Paschen, who also wrote a detailed article and shared a proof-of-concept, which allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

Quoting Christopher: "In short, if you have a .lnk with a populated Darwin ExtraData block, and a populated icon environment data block, the system will attempt to open the path pointed to by the icon environment data block. This causes the system to authenticate out to the target, allowing for relay and various credential attacks."

 

Microsoft's Patch

Microsoft fixed this by adding two IsTrustedZonePath calls before both PathFileExistsW calls in CShellLink::_UpdateIconFromExpIconSz. These are basically just MapUrlToZone checks with some extra checks in case this function fails. If the path is declared to be Local, Intranet, or Trusted, PathFileExistsW is called, but if the path is Internet or Restricted, the call is skipped.

 

Our Patch

Our patch is logically identical to Microsoft's.

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank TrustedSec researcher Christopher Paschen for sharing the details and their proof-of-concept, which allowed us to create a patch for Windows users who are no longer receiving official Windows patches.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Accessibility Infrastructure Elevation of Privilege Vulnerability (CVE-2026-24291, CVE-2026-25186, CVE-2026-25187)

March 2026 Windows Updates brought a patch for three related vulnerabilities, CVE-2026-24291, CVE-2026-25186 and CVE-2026-25187. All three have a common root cause: a local user can create a symbolic link in a registry key associated with their user session, tricking some privileged process into following such link and doing their thing with it - resulting in privilege escalation or information disclosure.

The three issues were reported to Microsoft by Google Project Zero security researcher James Forshaw. In addition, after Microsoft has patched these issues, MDSec's Filip Dragovic posted an article revealing they had also known about this issue (dubbed "RegPwn") and were using it in their internal red team engagements.

We initially addressed CVE-2026-2429 with our patch, but the patch then turned out to also resolve CVE-2026-25186 and CVE-2026-25187, which is why we're covering all three issues in the same article (and the same patch).

 

The Vulnerability 

The vulnerability is in the default permissions on the "Session <X>" subkey of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility registry key. The Session subkey is created for every new desktop session, and allows the user owning the session to modify its content - and also create symbolic links. Since various privileged processes are then using the content of this subkey, a local attacker can thus make them do... things.

The three CVE IDs refer to different ways of exploiting the same problem:

1. CVE-2026-24291: ATBroker.exe can be manipulated into creating arbitrary registry key with any content, even in areas not writable by the user.
2. CVE-2026-25186: ATBroker.exe can be manipulated into copying a sensitive registry key from a secure location where the user cannot read it, to a location where the user can read it.
3. CVE-2026-25187: WinLogon can be manipulated into deleting an arbitrary registry key, potentially disabling some security features.

 

Microsoft's Patch

Microsoft patched all these issues by removing the "create symbolic links" permission for the session user on registry key "Session <X>".

 

Our Patch

Our patch is identical to Microsoft's.

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows Server 2012 - fully updated with no ESU, ESU1 or ESU 2
11. Windows Server 2012 R2 - fully updated with no ESU, ESU1 or ESU 2 

Windows 7 and Server 2008 R2 aren't using these registry keys in the same way, and were found not to be affected.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Google Project Zero security researcher James Forshaw and MDSec's Filip Dragovic for publishing their analyses and proofs-of-concept, which allowed us to create a patch for legacy Windows users.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2026-20931)

 

January 2026 Windows Updates brought a patch for CVE-2026-20931, a privilege escalation in Windows Telephony Service that allowed a remote low-privileged attacker to promote themselves to a service administrator, and then have the service execute their malicious code remotely. 

The vulnerability was found and reported to Microsoft by Sergey Bliznyuk with Positive Technologies, who also published a detailed technical article that allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

In short, the vulnerability is caused by a missing security check to ensure the path the user wants to write to is actually a mailslot path, and not a path on file system. As a result, a local unprivileged user (or a remote one, if so configured) can overwrite any file writable by Network Service with arbitrary content. An obvious candidate for this is Telephone Service's own tsec.ini file, which - among other things - defines service administrators.

By overwriting this file, the attacker can turn themselves into Telephony Service administrator, and then have the service execute their malicious DLL using the newly-acquired power. 

 

Microsoft's Patch

Microsoft patched this issue by adding a check to ensure the user-requested path actually represents a mailslot.

 

Our Patch

Our patch is logically identical to Microsoft's.

Let's see our patch in action. First, with 0patch disabled, a low-privileged user runs the attack tool that instructs the Telephony Service to overwrite tsec.ini with some content (we used "test" for demonstration purposes). The attack succeeds.

With 0patch enabled, however, the file can no longer be overwritten.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
2. Windows Server 2012 - fully updated with no ESU or ESU 1
3. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Even though the Telephony Service exists on Windows 11, Windows 10 and Windows 7, we were unable to exploit this vulnerability there.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Sergey Bliznyuk with Positive Technologies for sharing their detailed article, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2026-20817)

 

January 2026 Windows Updates brought a patch for CVE-2026-20817, a local privilege elevation vulnerability in Windows Error Reporting Service, allowing a local non-admin attacker to execute arbitrary code as Local System user.

The vulnerability was found and reported to Microsoft by Denis Faiustov and  Ruslan Sayfiev with GMO Cybersecurity by Ierae. Subsequently, security researcher Clément Labro reverse-engineered Microsoft's patch and posted their analysis, accompanied with a proof-of-concept. These allowed us to reproduce the issue and create patches for users of Windows systems that are no longer receiving official Microsoft patches.

 

The Vulnerability 

The vulnerability is in what seems to be an unneeded SvcElevatedLaunch function that allows any local user to have Windows Error Reporting Service launch WerFault.exe with arbitrary arguments as Local System.

 

Microsoft's Patch

Microsoft patched this issue by removing the SvcElevatedLaunch function.

 

Our Patch

Our patch is identical to Microsoft's.

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Denis Faiustov and  Ruslan Sayfiev with GMO Cybersecurity by Ierae for finding this vulnerability, and Clément Labro for publishing their analysis and proof-of-concept, which allowed us to create a patch for legacy Windows users.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510)

February 2026 Windows Updates brought a patch for CVE-2026-21510, a security feature bypass in Windows Explorer that allowed a Windows shortcut to launch a remotely hosted DLL without any warning to the user even if mark of the web was present.

The vulnerability was found to be exploited in the wild, and a sample was uploaded to malware repositories, which allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

Normally, when a user double-clicks a Windows shortcut (LNK) file with the mark-of-the-web or located on an untrusted share, Windows Explorer pops up a security warning about the shortcut's untrusted source.

The vulnerability at hand allowed a malicious LNK file, either one copied to the user's computer (thus having the mark-of-the-web) or one located on an untrusted remote share, to bypass this security warning and immediately load and execute a remotely-hosted attacker's DLL.

The flaw was specifically in the way the "All Control Panel Items" GUID was processed. This GUID is normally used for launching Control Panel items, which - in the background - employs shortcut files.

 

Microsoft's Patch

Microsoft patched this issue by adding a whole new data structure to the windows.storage.dll code, which specifically handles "Control Panel" shortcut files and defines a custom callback that checks both the shortcut file and its target for mark-of-the-web. Before the patch, only the target (C:\Windows\System32\rundll32.dll) was checked for mark-of-the-web.

 

Our Patch

We took a slightly simpler approach. Our patch injects into the CShellLink::_InvokeDirect function and checks a local variable that contains the path to the shortcut file. First, we check if it ends with ".lnk", and if it does, we perform a MapUrlToZone call on it. This both detects if the file path is an untrusted network location, and if the file contains the mark-of-the-web. If any of these is true, our patch pops up a warning telling the user that the file came from an untrusted location and that it may be malicious.

Our use of MapUrlToZone allows the user to add a shared folder address to trusted sites under Internet Options, and disable this warning on any shares they trust. 

If you see the 0patch security warning upon opening a document or launching an application from a network drive after having this patch applied and you'd like to remove it, please add the network location to Trusted sites:

1. Open Control Panel and select Internet Options.
2. Navigate to the Security tab, select Trusted sites, and click Sites.
3. Uncheck "Require server verification (https:)".
4. Enter server name (e.g., \\servername) in the field and click Add.

 

Let's see our patch in action. First, with 0patch disabled, the user double-clicks on a shortcut file hosted on a remote untrusted share (shares identified by IP address instead of a "dotless" host name are untrusted by default). This results in an immediate execution of a remote DLL under attacker's control, which for the purpose of our demonstration launches the Calculator.

Then, the same is done with 0patch enabled. In this case, double-clicking on the remote shortcut results in a security warning, where the user can decide whether to let the shortcut execute or not.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508)

 

February 2026 Windows Updates brought a patch for CVE-2026-21508, a local privilege escalation vulnerability in Windows Storage component allowing a low-privileged local user to run arbitrary code as Local System.

The vulnerability was found and reported to Microsoft by security researcher Oscar Zanotti Campo. Oscar subsequently published a detailed analysis of the vulnerability and a proof-of-concept, both of which allowed us to reproduce and patch this issue for our users.

 

The Vulnerability 

This flaw is in the windows.storage.dll module when used by WUDFHost.exe. The WUDFHost.exe process impersonates the user while loading sensitive registry keys from the Classes\CLSID\ path for resolving the target handles. A local attacker can leverage this to get  WUDFHost to use their own registry keys and load a malicious DLL, which can then revert the impersonation and run code as Local System. 

 

Microsoft's Patch

Microsoft's patch forces WUDFHost.exe to load sensitive registry keys from the machine registry hive instead of from the calling user's hive.

 

Our Patch

Our patch is logically identical to Microsoft's. 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Oscar Zanotti Campo for sharing their analysis and proof-of-concept, which allowed us to create a patch and protect 0patch users against this issue.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.