HIGH 7.0

CVE-2026-41108: Windows DNS Heap Buffer Overflow Privilege Escalation

A memory safety flaw in Windows DNS could allow someone with local system access to break out of normal restrictions and gain full control of the computer. The vulnerability exists because DNS processes input in a way that can overflow a memory buffer, and an attacker positioned locally—such as a low-privilege user or service—could exploit this to run code with elevated permissions. This is not a remote vulnerability, but it poses a significant risk in multi-user or shared-system environments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41108 is a heap-based buffer overflow (CWE-122) in the Microsoft Windows DNS resolver component. The flaw allows a local authenticated attacker to trigger a memory corruption condition that can be leveraged for privilege escalation. The attack vector is local, requires low privilege level and high complexity, but results in complete compromise of confidentiality, integrity, and availability. The CVSS 3.1 score of 7.0 (HIGH) reflects the combination of local-only access with complete impact upon successful exploitation.

Business impact

Organizations running affected Windows systems face a privilege escalation pathway that could enable lateral movement or persistence by a compromised local account. In environments where service accounts or unprivileged users have DNS-related responsibilities, or where threat actors have gained initial foothold via phishing or application compromise, this vulnerability becomes a stepping stone to administrative control. The breadth of affected Windows versions—spanning Windows 10, Windows 11, and Server 2012 through 2025—means the issue affects a substantial portion of enterprise infrastructure.

Affected systems

The vulnerability affects multiple Windows editions: Windows 10 (versions 1607, 1809, 21H2, and 22H2), all current Windows 11 releases (23H2, 24H2, 25H2, and 26H1), and Windows Server platforms from 2012 through 2025. Organizations should audit their estate to identify systems running these versions, with particular attention to servers and workstations where local user access is common or where DNS operations are sensitive.

Exploitability

Exploitation requires local access and low-level privileges—not administrative rights. The attack complexity is rated HIGH, meaning reliable exploitation requires specific preconditions or deep system knowledge. The vulnerability is not remotely exploitable and does not require user interaction. While the technical bar is non-trivial, a skilled threat actor with initial local access could develop a working exploit. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog, but organizations should anticipate proof-of-concept code development as security research progresses.

Remediation

Microsoft will release patches through its standard security update cycle. Organizations should apply Windows security updates as they become available through Windows Update or WSUS. Until patches are available, isolation controls such as restricting local logon capabilities, enforcing strong access controls on DNS-related accounts, and monitoring for unusual DNS process behavior offer interim risk reduction. Verify patch availability by consulting Microsoft's official security advisories.

Patch guidance

Monitor Microsoft Security Updates for patches targeting CVE-2026-41108 across affected Windows versions. When patches become available, prioritize systems running Server 2022 and 2025, as well as Windows 11 editions, given their prevalence in modern environments. Test patches in non-production environments before broad deployment to ensure compatibility with line-of-business applications. Given the privilege escalation nature of this flaw, treat patching as high priority within your normal maintenance windows.

Detection guidance

Monitor for unusual process creation beneath DNS-related services (such as svchost.exe running DNS), unexpected privilege elevation events tied to DNS processes, and heap memory exceptions or access violations in Windows DNS components. Endpoint Detection and Response (EDR) solutions should be tuned to alert on DNS service anomalies and local privilege escalation attempts. Log authentication events for local account creation or privilege group modifications that follow DNS process activity. Security Information and Event Management (SIEM) rules should correlate DNS process crashes with subsequent privilege escalation.

Why prioritize this

This vulnerability merits rapid patching due to its privilege escalation capability and the vast number of affected systems across consumer and enterprise Windows editions. While exploitation requires local access, the combination of wide distribution, complete impact (CIA triad), and the likelihood that threat actors will develop reliable exploits within weeks of patch release justifies treating this as a near-term priority. Organizations with strong perimeter controls and limited local access may rate this lower than remote code execution flaws, but the scope of affected infrastructure means most organizations will have exposure.

Risk score, explained

The CVSS 3.1 score of 7.0 (HIGH) reflects a local privilege escalation with complete system impact. The score is not CRITICAL because the attack vector is limited to local access and the complexity is high; remote availability is not compromised. However, the vulnerability easily clears the severity threshold for HIGH because it enables unauthenticated-to-administrator privilege elevation and affects core Windows infrastructure across dozens of versions. The absence of CISA KEV status does not reduce the actual risk; it simply reflects that in-the-wild exploitation has not yet been confirmed at the time of this analysis.

Frequently asked questions

Can this vulnerability be exploited remotely over the network?

No. The vulnerability requires local system access and low-level privileges. It cannot be exploited by an attacker on another machine. However, if an attacker has already compromised a local account—via phishing, application vulnerability, or lateral movement—they can use this flaw to escalate to administrator rights.

Which Windows Server versions are affected?

Windows Server 2012, 2016, 2019, 2022, and 2025 are all listed as affected. Server 2022 and 2025 should be prioritized for patching due to their deployment prevalence, but all versions require remediation.

What should we do if we cannot patch immediately?

Enforce restrictive local logon policies to limit the number of accounts with local access, use endpoint hardening to restrict process creation and privilege escalation, enable EDR/SIEM monitoring for DNS process anomalies, and conduct a risk assessment of which systems truly require local user access. These controls reduce the window of opportunity but do not eliminate the risk.

Is there a workaround to disable DNS processing?

Disabling Windows DNS entirely is not a practical workaround for most organizations. Focus instead on applying patches as soon as they are available and using access controls to minimize the population of users who can trigger the vulnerable code path.

This analysis is provided for informational purposes. CVE-2026-41108 details, patch status, and affected versions are current as of the published date but may be updated by Microsoft or other official sources. Organizations should verify patch availability and compatibility through official Microsoft security advisories before deploying updates. This document does not constitute legal, compliance, or incident response advice. Consult with your security team and risk management department to determine appropriate remediation timelines for your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).