CVE-2026-42903: Windows Kerberos Null Pointer Dereference DoS Vulnerability
A flaw in Windows Kerberos authentication can be triggered by an authorized network user to crash or hang critical services. The vulnerability requires valid domain credentials to exploit, limiting its attack surface to insider threats or compromised accounts within an organization. While it does not expose data or allow privilege escalation, denial-of-service impact can disrupt authentication infrastructure and dependent business operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42903 is a null pointer dereference (CWE-476) in the Windows Kerberos implementation that permits authenticated attackers to induce a denial-of-service condition over the network. The flaw resides in Kerberos service handling and can be triggered without user interaction once an attacker possesses valid credentials. The CVSS 3.1 score of 6.5 (MEDIUM) reflects the requirement for prior authentication (PR:L), absence of confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). The network-accessible attack vector (AV:N) and low attack complexity (AC:L) indicate the vulnerability is straightforward to exploit from a network position once authenticated.
Business impact
Disruption to Kerberos-dependent authentication services can cascade across Active Directory environments, potentially breaking single sign-on, service ticket validation, and network access for users and systems. Organizations relying on Kerberos for domain authentication and service-to-service trust face availability risk. Although the threat actor must be authenticated, insider threats, credential compromise through phishing, or lateral movement from other breaches could enable exploitation. The impact scales with the criticality of Kerberos infrastructure in your environment; widespread outages are possible in large enterprises where Kerberos is the primary authentication backbone.
Affected systems
Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012, 2016, 2019, 2022, 2025) are affected. The vulnerability spans both client and server operating systems, meaning domain members, domain controllers, and standalone servers running Kerberos services are potentially vulnerable. Organizations should inventory systems running these Windows versions, particularly domain controllers and servers hosting Kerberos-dependent services.
Exploitability
The vulnerability requires valid authenticated credentials—an attacker cannot exploit it anonymously or without prior compromise. This raises the bar significantly compared to unauthenticated vulnerabilities. However, exploitability is straightforward once authenticated (AC:L), and the attack is network-accessible, meaning an insider or account holder need not be physically present. The flaw is not currently tracked as actively exploited in the wild, though the public disclosure and straightforward nature of a null pointer dereference mean weaponization is foreseeable. Insider threat and lateral movement scenarios elevate practical risk in environments with credential hygiene challenges.
Remediation
Patching is the primary remediation. Microsoft security updates addressing this vulnerability should be deployed to all affected Windows 10 and Windows 11 client systems and all Windows Server editions listed. Verify the specific patch version against the official Microsoft advisory for your operating system version. Until patches are applied, network segmentation limiting Kerberos service exposure, strong credential controls to reduce the likelihood of account compromise, and monitoring for unusual Kerberos service crashes or restarts can provide interim mitigation. Consider prioritizing domain controllers and authentication services in patch deployment sequencing.
Patch guidance
Obtain patches from Microsoft's security update channels (Windows Update, WSUS, or manual download from Microsoft Update Catalog). Apply updates to all Windows 10 versions (1607, 1809, 21H2, 22H2), Windows 11 versions (23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Test patches in a non-production environment first to confirm no conflicts with domain services, authentication flows, or dependent applications. Prioritize domain controllers and servers hosting Kerberos services. Stagger deployment across the organization to avoid simultaneous authentication service restarts. Verify patch application using Microsoft's patch verification tools or built-in Windows Update compliance reports.
Detection guidance
Monitor Windows Event Log for Kerberos service crashes, restarts, or error events (Event ID 27 in the Security log for Kerberos errors; check System log for service failures). Establish baseline metrics for Kerberos latency and failure rates; spikes may indicate exploitation attempts. Network intrusion detection signatures targeting malformed Kerberos protocol packets from authenticated sources may help identify active exploitation. Endpoint detection and response (EDR) tools should flag unexpected Kerberos service terminations. Log aggregation systems should correlate authentication failures with service availability gaps. Given the low observability of a crash-inducing bug, behavioral anomalies (authentication delays, service unavailability) are often the first indicators.
Why prioritize this
Prioritize this vulnerability for patching because (1) it affects a fundamental infrastructure component (Kerberos) across client and server systems; (2) compromise of any domain-joined account can trigger exploitation; (3) availability impact is high, with potential for cascading service disruption; (4) the broad Windows footprint (Windows 10, 11, Server 2012–2025) means patch complexity is significant; (5) authenticated denial-of-service attacks against authentication infrastructure warrant rapid remediation to prevent operational disruption. Mid-sized to large enterprises with mature Active Directory deployments should treat this as high-priority in their patch windows.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) correctly reflects a flaw with no confidentiality or integrity impact but high availability impact, gated by a requirement for valid authentication. The network vector and low complexity indicate ease of exploitation once authenticated. The MEDIUM severity appropriately signals that while the vulnerability is serious for availability, it does not enable data theft or system compromise—however, it should not be underestimated in critical infrastructure environments where Kerberos unavailability cascades to widespread outages. Risk elevation in your environment depends on credential exposure risk and the centrality of Kerberos to operations.
Frequently asked questions
Do I need valid credentials to exploit this vulnerability?
Yes. The vulnerability requires an authenticated user (PR:L in CVSS terms). An attacker must possess valid domain credentials or compromise an existing account. Unauthenticated remote exploitation is not possible.
Can this vulnerability be used to steal passwords or gain unauthorized access?
No. The flaw only causes a denial-of-service condition. It does not compromise confidentiality (no data theft), integrity (no unauthorized changes), or enable privilege escalation. Its impact is limited to service availability.
Which systems should I patch first?
Prioritize domain controllers and servers hosting Kerberos services, as their unavailability impacts the entire domain. Then patch other Windows Server systems, followed by Windows 10 and 11 clients. Sequenced deployment reduces the risk of simultaneous Kerberos service restarts.
Is this vulnerability currently being exploited in the wild?
No, this CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no active exploitation has been confirmed publicly. However, given the straightforward nature of the flaw, timely patching is still essential to prevent future attacks.
This analysis is for informational purposes and reflects publicly available information as of the modification date (2026-06-17). Patch versions, specific remediation timelines, and affected system lists should be verified against the official Microsoft security advisory before deployment. No exploit code is provided, and SEC.co makes no guarantee regarding the completeness or applicability of this guidance to your specific environment. Security decisions should be made in consultation with internal security teams and tested in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-8035HIGHNI-PAL Kernel Driver NULL Pointer Dereference DoS Vulnerability
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60485MEDIUMMP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
- CVE-2025-60495MEDIUMMP4Box Segmentation Fault DoS Vulnerability – Patching Guide
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-11788MEDIUM389 Directory Server Unauthenticated Denial-of-Service via Memory Allocation Flaw