Skip to main content

Windows Kerberos CVE-2026-42903

| EUVDEUVD-2026-35592 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-09 secure@microsoft.com GHSA-r6fw-8v76-p9qq
6.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 19:01 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 6.5

DescriptionNVD

Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.

AnalysisAI

Null pointer dereference in Windows Kerberos enables an authenticated network attacker to crash the Kerberos service, causing denial of service. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation is achievable over the network by any low-privilege authenticated user with no user interaction required, resulting in high availability impact (A:H) with no confidentiality or integrity consequences. No active exploitation confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Technical ContextAI

Windows Kerberos is Microsoft's implementation of the Kerberos v5 authentication protocol, central to Active Directory domain authentication. CWE-476 (Null Pointer Dereference) identifies the root cause: a missing null check before a pointer dereference in the Kerberos processing code. When a specially crafted Kerberos message reaches the affected code path, the process attempts to dereference a null pointer, triggering an access violation that crashes the service. Given the network attack vector (AV:N) and low complexity (AC:L), the triggering condition is reachable through standard Kerberos protocol interactions, likely in authentication request parsing or ticket handling logic. Affected systems are primarily Windows hosts participating in Active Directory environments, including Domain Controllers and member servers. No CPE strings were provided in the source data; exact affected build numbers must be confirmed via the MSRC advisory.

RemediationAI

Apply the Microsoft security update detailed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42903. Exact patch version numbers are not confirmed from the available data and must be verified directly via that advisory - do not rely on inferred version numbers. As a compensating control prior to patching, restrict access to Kerberos service ports (TCP/UDP 88) using network segmentation or host-based firewall rules to limit exposure to trusted network segments and authenticated endpoints only; note this trade-off may disrupt legitimate cross-segment authentication. Additionally, monitor Domain Controllers for anomalous Kerberos service crashes or authentication failures, which may indicate active exploitation attempts. For environments where immediate patching is not possible, consider limiting which accounts can initiate Kerberos authentication requests from untrusted segments, though this may impact normal domain operations.

Share

CVE-2026-42903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy