CVE-2026-42914: Windows Kerberos Out-of-Bounds Read DoS Vulnerability
A vulnerability in Windows Kerberos allows an authenticated attacker to cause a denial-of-service condition by reading memory outside the intended bounds. The attacker must already have network access and valid credentials to exploit this issue, which means it poses a risk primarily in environments where internal adversaries or compromised accounts could launch attacks. The impact is limited to service disruption rather than data theft or system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Out-of-bounds read in Windows Kerberos allows an authorized attacker to deny service over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42914 is an out-of-bounds read vulnerability (CWE-125) in the Windows Kerberos implementation affecting multiple Windows 10 and Windows 11 releases as well as Windows Server 2012 through 2025. The vulnerability requires low privilege (authenticated) access and high attack complexity, suggesting exploitation depends on specific conditions or sequences that are not trivial to trigger. The out-of-bounds read can be weaponized to crash Kerberos-dependent services or processes, leading to availability impact. No confidentiality or integrity compromise is possible through this vector.
Business impact
Denial of service in Kerberos affects authentication and authorization workflows across the enterprise. Depending on attack persistence and targeting, an attacker could repeatedly knock out directory services, domain authentication, or ticket-granting services, causing user lockouts or preventing legitimate domain operations. The requirement for authentication limits blast radius to insider threats or accounts compromised through phishing, lateral movement, or supply-chain compromise. Organizations relying on Kerberos for SSO or multi-forest environments should assess redundancy and failover mechanisms.
Affected systems
Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected, as are all supported Windows 11 releases (23H2, 24H2, 25H2, 26H1). Windows Server 2012, 2016, 2019, 2022, and 2025 are also in scope. Notably, this spans both consumer and enterprise editions, though the practical impact is highest on domain-joined systems and servers. Air-gapped or workgroup-only systems see no Kerberos traffic, reducing applicability.
Exploitability
Exploitation requires an authenticated attacker with network access and knowledge of how to trigger the specific out-of-bounds condition within Kerberos. The high attack complexity factor suggests this is not a one-click exploit; however, once a valid account is compromised or an insider has access, the barrier to craft or discover working attack payloads is moderate. Public exploit code has not been confirmed to exist (KEV status is false), limiting opportunistic attacks in the near term. Targeted campaigns against high-value infrastructure remain plausible.
Remediation
Apply security updates from Microsoft as they become available through Windows Update or WSUS. Organizations should prioritize patching domain controllers and critical authentication infrastructure first. Interim mitigations include network segmentation to limit which systems can reach Kerberos services, credential hygiene (minimize privileged account exposure), and monitoring for anomalous Kerberos ticket requests or service crashes. Organizations on extended support lifecycles (e.g., Windows Server 2012) should verify patch availability with Microsoft before assuming updates are forthcoming.
Patch guidance
Check Microsoft's security updates released concurrently with or after the June 2026 advisory date. Patches should be validated in a staging environment, particularly on domain controllers where Kerberos availability is critical. Coordinate patching with change windows to minimize authentication disruption. For Windows 10, ensure you are on a supported version (1607 is nearing end-of-service; prioritize 22H2). For Windows 11, all listed versions should receive updates through regular monthly rollups. Verify against Microsoft's official advisory to confirm patch KB numbers for your specific version.
Detection guidance
Monitor for unexpected crashes or restarts of processes linked to Kerberos (e.g., lsass.exe on domain controllers, krbtgt services). Collect Kerberos audit events (event IDs 4624, 4768, 4769) and look for spikes in failed authentication or ticket requests from a single source. Deploy host-based memory access monitoring if available; out-of-bounds reads may trigger access violation logs in Event Viewer or EDR telemetry. Correlate service availability incidents with authentication audit logs to identify whether Kerberos DoS was the root cause.
Why prioritize this
Although the CVSS score is moderate (5.3), the vulnerability affects foundational authentication infrastructure spanning Windows client and server editions. Any successful denial of service targeting Kerberos can cascade across the domain, impacting all user login attempts and service-to-service authentication. The need for authentication lowers immediate risk from external attackers, but the broad affected product list and critical nature of Kerberos warrant prioritization above non-authentication DoS vulnerabilities. Organizations should plan patching within their next security update cycle rather than deferring.
Risk score, explained
The CVSS 3.1 score of 5.3 (Medium) reflects high availability impact (A:H) constrained by network accessibility requiring authentication (AV:N, PR:L) and high attack complexity (AC:H). There is no confidentiality or integrity risk. The score appropriately flags this as a threat to service continuity rather than data confidentiality. In practical business terms, the criticality of Kerberos means the risk should not be underestimated; a CVSS 5.3 targeting authentication is more severe than a CVSS 5.3 targeting a non-critical application.
Frequently asked questions
Can this vulnerability be exploited remotely by an attacker without authentication?
No. The vulnerability requires the attacker to be authenticated (PR:L in the CVSS vector). An attacker must possess valid credentials or have compromised an account to initiate the out-of-bounds read. This significantly reduces the attack surface to insider threats, lateral movement, or compromised user/service accounts.
Does the patch affect Kerberos interoperability with non-Windows systems?
Patches to Windows Kerberos typically do not alter the Kerberos protocol itself, only the implementation's memory safety. Interoperability with Unix/Linux Kerberos implementations or third-party Kerberos clients should remain unaffected. However, verify with your environment's specific interoperability requirements after patching.
If we are running Windows 10 version 1607, should we upgrade or patch?
Windows 10 version 1607 (Enterprise LTSC 2015) reaches end of service in May 2027. Microsoft may provide limited security updates, but upgrading to 22H2 or 23H2 is the long-term strategy. In the interim, apply any available patches and implement network controls to limit Kerberos exposure.
What should we monitor to detect exploitation attempts?
Focus on crash or restart events for lsass.exe (Local Security Authority Subsystem), Kerberos service errors in Event Viewer, and spikes in failed authentication events (Event ID 4625). Domain controllers are the highest-value targets; alerting on abnormal Kerberos traffic or service availability on DCs is critical. EDR tools should flag memory access violations in security-sensitive processes.
This analysis is based on publicly available information current as of the published and modified dates listed. Patch availability, version numbers, and timelines should be verified directly with Microsoft's official security advisories. Organizations should conduct their own risk assessment based on their specific infrastructure, threat model, and business criticality. No guarantee is made regarding exploit availability or real-world attack prevalence. This content is for informational purposes and does not constitute professional security advice tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11096MEDIUMChrome WebRTC Out-of-Bounds Read
- CVE-2026-11183MEDIUMChrome GWP-ASan Memory Disclosure – Patch Guidance