CVE-2026-47288: Windows Kerberos Integer Overflow Allows Code Execution
CVE-2026-47288 is a high-severity integer overflow vulnerability in Windows Kerberos authentication that allows an authenticated attacker on an adjacent network to execute arbitrary code with system-level privileges. The flaw resides in how Kerberos handles certain numeric calculations, causing a wraparound condition that can be exploited to bypass security checks and inject malicious code. An attacker must already have valid credentials and network proximity to the target, which limits the immediate blast radius but makes this a serious concern for domain environments where lateral movement is a known threat model.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from an integer overflow or wraparound condition (CWE-190) in the Windows Kerberos implementation. The flaw occurs during authentication token processing when integer values are not properly validated before arithmetic operations, allowing an attacker to craft a malformed Kerberos request that causes the integer to overflow and wrap to an unexpected value. This corrupted state bypasses bounds checks and memory safety validations that normally prevent code execution. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same network segment or local broadcast domain, and requires low privileges (PR:L) but no user interaction. The high impact across confidentiality, integrity, and availability reflects the ability to achieve code execution in the Kerberos service context.
Business impact
Compromise of Kerberos authentication infrastructure can lead to domain-wide credential theft, lateral movement, and persistence. An attacker with network access and valid credentials can escalate privileges or move laterally within the network to exfiltrate sensitive data, disrupt services, or establish backdoors. For organizations relying on Windows Server for identity and access management, this vulnerability threatens the integrity of the entire authentication chain. Data centers, corporate networks, and hybrid cloud environments using affected Windows Server versions face elevated risk of insider threats being weaponized or external adversaries gaining deeper access after initial compromise.
Affected systems
The vulnerability affects Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. Any organization running these versions in a domain environment where Kerberos is active (the default configuration) is potentially exposed. Windows Server 2012 and 2016 are approaching or past mainstream support end-of-life, but remain in use in many enterprises. Windows Server 2022 and 2025 represent the current and next-generation platforms, making this a concern for both legacy and modern infrastructure.
Exploitability
Exploitability is moderate to difficult in practice. An attacker must possess valid domain credentials and network access to the target server's network segment—conditions that typically exist for insiders or adversaries who have already compromised an initial foothold. The attack requires careful crafting of a malicious Kerberos ticket or request, suggesting the vulnerability is not trivial to exploit without deep protocol knowledge. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no active in-the-wild exploitation has been publicly documented as of the last update. However, the six-year window between publication and availability of patches creates urgency to remediate before attacker knowledge matures.
Remediation
Apply security updates from Microsoft that address CVE-2026-47288 as soon as they become available through Windows Update or your standard patch management channel. Verify the patch version numbers against Microsoft's official advisory before deploying. Interim mitigations include segmenting networks to reduce adjacent-network attack surface, enforcing strict access controls on Kerberos infrastructure, and monitoring for anomalous Kerberos traffic or authentication failures. Organizations should prioritize patching domain controllers and member servers that handle sensitive workloads or authentication duties.
Patch guidance
Consult Microsoft's official security advisory for CVE-2026-47288 to identify the specific KB article and patch version numbers applicable to your Windows Server versions. Patches will be released through the standard monthly security update cycle. Test patches in a non-production environment first to ensure compatibility with domain services and applications. Schedule patching of domain controllers during maintenance windows to minimize authentication service interruption. Consider deploying patches to domain controllers first, then member servers, to maintain authentication availability during the rollout.
Detection guidance
Monitor Kerberos authentication logs (Security event logs on Windows servers) for failed authentication attempts, particularly those with error codes indicating token validation failures or memory access violations. Network intrusion detection systems should look for malformed Kerberos packets or unusual token sizes. Endpoint detection and response (EDR) tools should flag unexpected code execution within the Kerberos service process (LSASS.exe) or unusual privilege escalation patterns following authentication events. Correlate authentication failures with subsequent lateral movement attempts to identify possible exploitation attempts. Consider enabling Kerberos event logging at severity level 'Verbose' on domain controllers during the patch window to capture attack indicators.
Why prioritize this
Despite the CVSS 3.1 score of 7.1 (HIGH) and lack of current public exploitation, this vulnerability should be prioritized for patching because: (1) it affects core identity infrastructure in Windows environments, (2) successful exploitation grants code execution in a privileged service context, (3) affected versions span from legacy to current-generation platforms, and (4) the combination of low privileges required and network adjacency matches realistic insider threat and post-compromise lateral movement scenarios. Organizations with mature security programs should treat this as a P1 for domain infrastructure; smaller organizations should address it within 30 days of patch availability.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects a HIGH severity rating based on the attack vector (adjacent network), low privilege requirement, high impact across confidentiality, integrity, and availability, and the absence of required user interaction. The score does not account for the requirement to already possess valid credentials, which reduces real-world exploitability compared to a network-adjacent unauthenticated flaw. The absence of KEV listing indicates no coordinated public exploitation has been leveraged at scale, but the six-year publication history suggests time for threat actors to develop reliable exploits. Organizations should view this as a serious but manageable risk requiring prompt patching rather than emergency response.
Frequently asked questions
Can this vulnerability be exploited remotely without being on the same network segment?
No. The attack vector is limited to adjacent networks (AV:A in CVSS terms), meaning the attacker must have Layer 2 or local network access to the target. This typically includes same-subnet access, VPN connections to the same network, or compromised systems on the same network segment. Internet-based attacks are not possible with this vulnerability alone.
Do I need valid domain credentials to exploit this vulnerability?
Yes. The vulnerability requires low privilege (PR:L) within the domain, meaning the attacker needs at least a standard user account with valid credentials. This distinguishes it from unauthenticated vulnerabilities but aligns it with post-compromise lateral movement scenarios where an attacker has already gained initial access.
Is there a workaround if I cannot patch immediately?
There is no complete workaround that eliminates the vulnerability. Network segmentation to restrict adjacent network access to domain controllers, implementation of strict firewall policies, and enhanced monitoring of Kerberos traffic can reduce exposure. However, patching remains the only reliable remediation. Prioritize patching domain controllers and sensitive systems within 30 days of update availability.
Which Windows Server versions are most at risk in my environment?
All supported and unsupported versions listed (2012, 2012 R2, 2016, 2019, 2022, 2025) are affected. Windows Server 2022 and 2025 are currently supported and should be patched immediately. Windows Server 2012 and 2016 are nearing or past mainstream support end-of-life; organizations still running these should plan urgent upgrades alongside patching as part of modernization efforts.
This analysis is for informational purposes and reflects the vulnerability details as of June 2026. Patch version numbers and exact remediation steps must be verified against Microsoft's official security advisory. Organizations should conduct their own risk assessment based on their specific infrastructure, threat model, and compliance obligations. This assessment does not constitute professional security advice; consult qualified security professionals for guidance tailored to your environment. SEC.co makes no warranty regarding the accuracy or completeness of this analysis and disclaims liability for damages arising from its use. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-42916HIGHWindows NT Kernel Integer Overflow Privilege Escalation Vulnerability
- CVE-2026-42974HIGHWindows Performance Monitor Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-44803HIGHWindows Win32K Integer Overflow Privilege Escalation
- CVE-2026-44812HIGHWindows Win32K Integer Overflow – CVSS 7.8 High Severity
- CVE-2026-45592HIGHWindows Privilege Escalation in wininet.dll (Integer Overflow)
- CVE-2026-45593HIGHWindows SDK Use-After-Free Privilege Escalation