Severity by source
Sources disagree (Medium–Critical)AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows DNS allows an authenticated low-privileged user to gain elevated privileges via a heap-based buffer overflow (CWE-122). The CVSS 7.0 score reflects high attack complexity and local-only access, and no public exploit is identified at time of analysis. The flaw was reported privately by Microsoft (MSRC) and is tracked under MSRC advisory CVE-2026-41108.
Technical ContextAI
The vulnerability resides in the Windows DNS component, which on workstation builds handles client-side resolution and on Windows Server typically backs Active Directory-integrated DNS zones. CWE-122 (Heap-based Buffer Overflow) indicates that input handled by the DNS code path is written past the bounds of a dynamically allocated buffer, corrupting adjacent heap metadata or object pointers. Successful manipulation of the corrupted heap can be steered into arbitrary code execution or token/structure overwrite, which on a service running with SYSTEM-level rights (as Windows DNS components typically do) yields full local privilege escalation.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-41108 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41108 as the primary fix; exact patched build numbers are published per-OS in that guide and should be matched to your Windows client and Windows Server inventory via WSUS, Intune, or SCCM. As compensating controls until patching completes, restrict interactive and remote logon to DNS-hosting servers to administrators only (limits the PR:L precondition), enforce LAPS and minimize local accounts on workstations to shrink the attacker pool, and on DNS servers consider temporarily disabling non-essential DNS features the advisory ties to the bug once Microsoft documents them - note this can break name resolution for dependent services such as Active Directory, so test in a maintenance window. Generic AppLocker / WDAC policies that block unsigned code from low-privileged contexts further raise the bar for staging the exploit but do not prevent the overflow itself.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35643
GHSA-xw2q-5wq4-7mx8