Severity by source
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network.
AnalysisAI
Remote code execution in Microsoft Windows Kerberos implementation allows an authenticated attacker on an adjacent network segment to trigger an integer overflow and execute arbitrary code. The flaw is rated CVSS 7.1 (High) with high attack complexity and requires low-level privileges, and at the time of analysis there is no public exploit identified. Because Kerberos is a core authentication service in Windows domain environments, successful exploitation has direct implications for domain trust and identity security.
Technical ContextAI
The vulnerability lies in Microsoft's Windows Kerberos authentication subsystem, which implements the Kerberos v5 protocol (RFC 4120) for ticket-based authentication across Active Directory environments. The root cause is CWE-190 (Integer Overflow or Wraparound), in which arithmetic operations on attacker-influenced size or length fields wrap past their numeric bounds, producing an undersized buffer allocation or an out-of-bounds index that subsequent code treats as valid. Tagging as both Integer Overflow and Buffer Overflow suggests the wraparound ultimately feeds a memory copy or parsing routine inside Kerberos message handling (likely AS-REQ/TGS-REQ or related PA-DATA structures), corrupting adjacent memory and enabling code execution within the Kerberos service context.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47288 to all affected Windows clients and especially to domain controllers, where the Kerberos service is most exposed and most consequential; patch status here is best characterized as patch available per vendor advisory because an exact fixed build was not included in the supplied data. Until patches are deployed, compensating controls should focus on shrinking the adjacent-network attack surface: segment domain controllers onto management VLANs that exclude general user and guest traffic, enforce 802.1X or NAC on segments that host DCs to keep unauthorized devices off the same broadcast domain, and disable or restrict legacy Kerberos transports if not required (note that tightening UDP/88 or TCP/88 reachability will break authentication for any client that legitimately sits on a now-blocked segment, so validate site topology first). Monitor Kerberos service crashes and unexpected lsass.exe restarts as a detection signal for exploitation attempts.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35699
GHSA-f3mm-ch2c-m27j