Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.
AnalysisAI
Null pointer dereference in Windows Kerberos enables an authenticated network attacker to crash the Kerberos service, causing denial of service. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation is achievable over the network by any low-privilege authenticated user with no user interaction required, resulting in high availability impact (A:H) with no confidentiality or integrity consequences. No active exploitation confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Technical ContextAI
Windows Kerberos is Microsoft's implementation of the Kerberos v5 authentication protocol, central to Active Directory domain authentication. CWE-476 (Null Pointer Dereference) identifies the root cause: a missing null check before a pointer dereference in the Kerberos processing code. When a specially crafted Kerberos message reaches the affected code path, the process attempts to dereference a null pointer, triggering an access violation that crashes the service. Given the network attack vector (AV:N) and low complexity (AC:L), the triggering condition is reachable through standard Kerberos protocol interactions, likely in authentication request parsing or ticket handling logic. Affected systems are primarily Windows hosts participating in Active Directory environments, including Domain Controllers and member servers. No CPE strings were provided in the source data; exact affected build numbers must be confirmed via the MSRC advisory.
RemediationAI
Apply the Microsoft security update detailed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42903. Exact patch version numbers are not confirmed from the available data and must be verified directly via that advisory - do not rely on inferred version numbers. As a compensating control prior to patching, restrict access to Kerberos service ports (TCP/UDP 88) using network segmentation or host-based firewall rules to limit exposure to trusted network segments and authenticated endpoints only; note this trade-off may disrupt legitimate cross-segment authentication. Additionally, monitor Domain Controllers for anomalous Kerberos service crashes or authentication failures, which may indicate active exploitation attempts. For environments where immediate patching is not possible, consider limiting which accounts can initiate Kerberos authentication requests from untrusted segments, though this may impact normal domain operations.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35592
GHSA-r6fw-8v76-p9qq