CVE-2026-41089 is a stack-based buffer overflow vulnerability in the Windows Netlogon remote procedure call interface, a core service responsible for authenticating services and users on Windows domain networks. An attacker can exploit this flaw by sending a specially crafted network request to a Windows domain controller, potentially allowing remote code execution without authentication or prior access. The vulnerability impacts all currently supported Windows Server versions, including Windows Server 2025. Microsoft patched this vulnerability during the May 2026 Patch Tuesday. The Centre for Cybersecurity Belgium has confirmed active exploitation in the wild and strongly recommends immediate patching of vulnerable systems. Microsoft has not yet publicly confirmed active exploitation or provided additional mitigation details beyond the patch.

Successful exploitation of CVE-2026-41089 allows an unauthenticated attacker to execute arbitrary code on Windows domain controllers. This can lead to full compromise of the domain controller, potentially enabling attackers to control domain authentication and access sensitive network resources. The vulnerability affects all supported Windows Server versions, making it broadly impactful in enterprise environments. Active exploitation in the wild increases the urgency of remediation to prevent attacker footholds in critical infrastructure.

Microsoft released an official patch for CVE-2026-41089 during the May 2026 Patch Tuesday. Administrators are strongly urged to apply this update immediately to all affected Windows Server domain controllers. The Centre for Cybersecurity Belgium recommends urgent patching due to active exploitation. No alternative mitigations or workarounds have been detailed. Monitor vendor advisories for any further updates or guidance.