Micropatches released for Windows Netlogon Remote Code Execution Vulnerability (CVE-2026-41089)

 May 2026 Windows Updates brought a patch for CVE-2026-41089, a remotely exploitable issue on Windows Server acting as a domain controller. Under certain conditions, an unauthenticated attacker in local network could send a malicious request to the server and cause memory corruption – which could potentially be enhanced into arbitrary code execution.The
vulnerability was found internally by Microsoft, but the official patch was reverse engineered and turned into a proof-of-concept by Aretiq AI. This, with a bit of our own effort, allowed us to reproduce the
issue and create patches for legacy Windows users.The Vulnerability This is a pre-authentication remotely exploitable vulnerability in the Netlogon service on a Windows Server acting as a domain controller. A single carefully crafted UDP packet to the CLDAP DC-locator port (UDP/389) overflows a stack buffer inside the LSASS process, corrupts the memory, and crashes the process. The server reboots about 60 seconds later.There are multiple issues in the vulnerable code, leading to a buffer overrun, the most problematic being that maximum string length passed to the NetpLogonPutUnicodeString function was interpreted as bytes but treated as WCHARs, which effectively doubled their length.Microsoft’s PatchMicrosoft fixed this issue with multiple code changes, hardening the whole NetpLogonPutUnicodeString function. They replaced a manual string copy loop with a safer function call, zero-initialized the buffer, and changed the size argument from being interpreted as WCHARs to bytes.Our PatchOur patch takes a more minimal approach and only halves the maximum string size for the user-supplied username. This is the only attacker-controlled value, so fixing other places in the same code would add no value. Our patch is therefore a single CPU instruction: mov edx, 0x40.Let’s
see our patch in action. First, with 0patch disabled, the attacker sends a malicious UDP packet to the server and crashes the LSASS process. With 0patch enabled, sending the same packet has no negative effect.
  Micropatch AvailabilityMicropatches were written for the following security-adopted Windows versions:Windows Server 2008 R2 – fully updated with no ESU or with ESU 1, ESU 2, ESU 3 or ESU 4Windows Server 2012 – fully updated with no ESU or with ESU 1Windows Server 2012 R2 – fully updated with no ESU or with ESU 1  Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. We’d like to thank Aretiq AI for sharing their analysis and proof of concept, which
allowed us to create patches for Windows versions that are no longer
receiving official updates from Microsoft.If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 
To learn more about 0patch, please visit our Help Center.  0patch BlogRead More