HIGH 8.8

CVE-2026-45648: Active Directory Stack Buffer Overflow – Windows Server 2022/2025 RCE

A stack-based buffer overflow vulnerability exists in Active Directory Domain Services (AD DS) that allows authenticated attackers to execute arbitrary code remotely on affected Windows Server systems. An attacker with valid domain credentials can craft a malicious request that overflows a memory buffer, potentially gaining full control of the AD DS infrastructure. The vulnerability requires network access and valid authentication, but does not require user interaction to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-121
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45648 is a stack-based buffer overflow (CWE-121) in Active Directory Domain Services affecting Windows Server 2022 and 2025. The vulnerability is reachable over the network by authenticated users without elevated privileges (CVSS vector AV:N/AC:L/PR:L). Successful exploitation results in arbitrary code execution with the privileges of the AD DS service, typically SYSTEM-level access. The low attack complexity (AC:L) indicates no special conditions are required; a single malformed request can trigger the overflow.

Business impact

Compromise of AD DS typically results in domain-wide credential theft, privilege escalation, and lateral movement across the enterprise. An attacker gaining code execution on a domain controller can extract password hashes, forge authentication tokens, establish persistence, and pivot to sensitive systems. In multi-forest environments, compromise of one forest may facilitate compromise of others. This vulnerability directly threatens identity and access management—the foundation of enterprise security posture.

Affected systems

Windows Server 2022 and Windows Server 2025 running Active Directory Domain Services are vulnerable. The scope is limited to these two versions; organizations running earlier Server editions (2019, 2016) or domain controllers on other platforms should verify whether they are affected by consulting the vendor advisory. Any domain controller deployed from these base images without patches is at risk.

Exploitability

The vulnerability requires valid domain credentials to trigger, which is not a high bar in many organizations due to user accounts, service accounts, and overly permissive delegation. The network attack surface is significant for domain controllers, which must be reachable from domain-joined systems. However, the vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no active in-the-wild exploitation has been reported. This does not diminish urgency—stack-based buffer overflows are well-understood attack vectors with mature exploitation techniques.

Remediation

Apply security updates from Microsoft for Windows Server 2022 and 2025 that address the AD DS buffer overflow. Verify patch applicability against the vendor advisory before deployment. Organizations should prioritize patching domain controllers in phases to maintain service availability. As a compensating control, restrict network access to AD DS ports (particularly 389, 636, 3268, 3269) to trusted administrative networks and domain-joined systems only. Segment domain controller networks from general user and guest networks.

Patch guidance

Consult the Microsoft security advisory for CVE-2026-45648 to identify the correct update versions for Windows Server 2022 and 2025. Test patches in a non-production environment before rolling out to production domain controllers. Consider scheduled maintenance windows to allow for graceful patching and validation. Verify that AD replication and dependent services function correctly after each domain controller is patched. Maintain detailed records of patch status across all domain controllers to prevent missed systems.

Detection guidance

Monitor domain controller logs for failed AD DS operations, unexpected buffer overflow errors, or abnormal process termination of the AD DS service. Implement network-based detection for malformed LDAP or Kerberos requests sent to domain controller ports. Use endpoint detection and response (EDR) tools to identify unexpected code execution or privilege escalation on domain controllers. Stack-based buffer overflows may leave traces in Windows Event Log (System and Security channels). Correlate authentication logs with subsequent lateral movement activity.

Why prioritize this

HIGH severity. A CVSS score of 8.8 reflects the confluence of network accessibility, low attack complexity, and high impact (confidentiality, integrity, availability). Although not yet actively exploited in the wild, the vulnerability affects the identity and access control layer—the most critical asset in modern enterprises. Domain controllers are high-value targets; their compromise can enable enterprise-wide breach. Patching should proceed urgently but carefully to avoid disruption.

Risk score, explained

CVSS 8.8 (HIGH) is driven by: (1) Network-accessible attack vector (AV:N), (2) low attack complexity requiring no special conditions (AC:L), (3) requirement for low-level authenticated access (PR:L) rather than unauthenticated access, (4) no user interaction required (UI:N), (5) complete confidentiality, integrity, and availability impact (C:H/I:H/A:H). The scope remains unchanged (S:U), limiting blast radius to the vulnerable component, but that component (AD DS) controls enterprise identity. The absence of KEV exploitation status slightly mitigates urgency but does not reduce technical risk.

Frequently asked questions

Do we need to patch Windows Server 2019 or earlier versions?

CVE-2026-45648 specifically affects Windows Server 2022 and 2025. Verify whether your older Server editions are mentioned in the vendor advisory before assuming they are unaffected. Check the Microsoft security update page directly for confirmed affected versions.

Can this vulnerability be exploited by guests or unauthenticated users?

No. The vulnerability requires valid domain credentials (PR:L in the CVSS vector). However, in most organizations, obtaining domain credentials is achievable through phishing, password reuse, or compromised service accounts. Assume that an attacker with network access and any valid domain account can exploit this.

Is this vulnerability currently being exploited in the wild?

As of the published date, CVE-2026-45648 is not listed in CISA's Known Exploited Vulnerabilities catalog, meaning no confirmed active exploitation has been reported. However, this does not guarantee the vulnerability remains unexloited; assume threat actors are developing or have developed exploits.

What is the risk if we delay patching by a few weeks?

The risk increases with each passing day. Domain controllers are prime targets. A multi-week delay extends the exposure window and increases the likelihood of compromise, especially if threat actors develop public proof-of-concept code. Prioritize patching on a timeline of days to one week maximum.

This analysis is provided for informational purposes and reflects the state of the vulnerability as of the published date. Consult the official Microsoft security advisory and vendor patch documentation for definitive guidance on affected versions, patch availability, and remediation procedures. Organizations should validate all patches in a non-production environment before deployment. SEC.co assumes no liability for business decisions made based on this analysis. Threat landscape and exploit status may evolve; monitor vendor advisories and threat intelligence feeds for updates. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).