Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Active Directory Domain Services allows an authenticated network attacker to trigger a stack-based buffer overflow (CWE-121) and execute arbitrary code on the targeted domain controller. With CVSS 8.8 (AV:N/AC:L/PR:L/UI:N) and high impact across confidentiality, integrity, and availability, successful exploitation could enable full domain compromise. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Technical ContextAI
Active Directory Domain Services (AD DS) is the core directory and authentication service in Windows Server environments, exposing protocols such as LDAP, Kerberos, and RPC/DCE over the network. The root cause is CWE-121 (Stack-based Buffer Overflow), in which user-controlled input is written past the bounds of a fixed-size stack buffer, typically corrupting saved return addresses, frame pointers, or adjacent locals. On a domain controller, code executed through such a flaw runs in a highly privileged context, making the surrounding protocol parser or RPC interface a particularly attractive target. Specific affected component, protocol surface, and exact build numbers were not disclosed in the provided data and must be confirmed via the Microsoft MSRC advisory.
RemediationAI
Patch status: Patch available per vendor advisory; the exact fix build numbers were not included in the provided data and should be obtained from the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45648 and applied to all domain controllers and any servers running the AD DS role. Until patches are deployed, restrict network reachability of domain controllers to known administrative and member-server subnets via firewall/IPSec rules, tighten which accounts can authenticate to DCs (for example by limiting Authenticated Users where feasible and removing stale or unnecessary domain accounts), and monitor DC event logs and EDR telemetry for anomalous RPC, LDAP, or LSASS activity; note that aggressive network segmentation around DCs can disrupt legitimate replication, Group Policy, and authentication traffic if not scoped carefully.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35692
GHSA-gmq7-hvj8-4x66