Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.
AnalysisAI
Remote code execution in Windows Active Directory Domain Services affects all supported Windows Server versions (2012 R2 through 2025) when an authenticated attacker with low privileges on an adjacent network sends specially crafted requests to domain controllers. The vulnerability stems from improper input validation (CWE-20) and enables complete system compromise with high impact to confidentiality, integrity, and availability. Patch available per vendor advisory; no public exploit identified at time of analysis. CVSS 8.0 severity reflects adjacent network attack vector requiring low-privilege authentication but trivial attack complexity with no user interaction.
Technical ContextAI
This vulnerability exists in the Windows Active Directory Domain Services (AD DS) component, which provides authentication and authorization services for Windows domain environments. The affected products span all currently supported Windows Server versions from 2012 R2 (build 6.3.9600) through the latest 2025 release (build 10.0.26100), including both full GUI and Server Core installation options. The root cause is CWE-20 (Improper Input Validation), indicating that AD DS fails to properly validate or sanitize input data received through network requests. This class of vulnerability typically occurs when applications trust data from external sources without sufficient verification, allowing attackers to inject malicious payloads that trigger unintended code execution. The adjacent network attack vector (AV:A) indicates the attacker must be on the same local network segment as the domain controller, such as a compromised workstation on the corporate LAN or a rogue device connected to the internal network.
RemediationAI
Apply Microsoft-released security updates immediately to all Active Directory domain controllers. Vendor-released patches: Windows Server 2012 R2 upgrade to build 6.3.9600.23132 or later, Windows Server 2016 upgrade to build 10.0.14393.9060 or later, Windows Server 2019 upgrade to build 10.0.17763.8644 or later, Windows Server 2022 upgrade to build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition upgrade to build 10.0.25398.2274 or later, Windows Server 2025 upgrade to build 10.0.26100.32690 or later. Prioritize patching domain controllers based on their exposure to potentially compromised network segments. Implement network segmentation to restrict adjacent network access to domain controllers, enforce principle of least privilege for domain accounts, and monitor for anomalous authentication patterns or lateral movement. Full security update details and installation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22645
GHSA-495g-jr6v-pch8