May 2026 Windows Updates brought a patch for CVE-2026-41089, a remotely exploitable issue on Windows Server acting as a domain controller. Under certain conditions, an unauthenticated attacker in local network could send a malicious request to the server and cause memory corruption - which could potentially be enhanced into arbitrary code execution.
The vulnerability was found internally by Microsoft, but the official patch was reverse engineered and turned into a proof-of-concept by Aretiq AI. This, with a bit of our own effort, allowed us to reproduce the issue and create patches for legacy Windows users.
The Vulnerability
This is a pre-authentication remotely exploitable vulnerability in the Netlogon service on a Windows Server acting as a domain controller. A single carefully crafted UDP packet to the CLDAP DC-locator port (UDP/389) overflows a stack buffer inside the LSASS process, corrupts the memory, and crashes the process. The server reboots about 60 seconds later.
There are multiple issues in the vulnerable code, leading to a buffer overrun, the most problematic being that maximum string length passed to the NetpLogonPutUnicodeString function was interpreted as bytes but treated as WCHARs, which effectively doubled their length.
Microsoft's Patch
Microsoft fixed this issue with multiple code changes, hardening the whole NetpLogonPutUnicodeString function. They replaced a manual string copy loop with a safer function call, zero-initialized the buffer, and changed the size argument from being interpreted as WCHARs to bytes.
Our Patch
Our patch takes a more minimal approach and only halves the maximum string size for the user-supplied username. This is the only attacker-controlled value, so fixing other places in the same code would add no value. Our patch is therefore a single CPU instruction: mov edx, 0x40.Let's see our patch in action. First, with 0patch disabled, the attacker sends a malicious UDP packet to the server and crashes the LSASS process. With 0patch enabled, sending the same packet has no negative effect.
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
- Windows Server 2008 R2 - fully updated with no ESU or with ESU 1, ESU 2, ESU 3 or ESU 4
- Windows Server 2012 - fully updated with no ESU or with ESU 1
- Windows Server 2012 R2 - fully updated with no ESU or with ESU 1
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Aretiq AI for sharing their analysis and proof of concept, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment