Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable DNS service but requires elevated DNS privileges (PR:H) and winning a use-after-free race (AC:H); scope change and full C/I/A impact reflect code execution in a system service.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in DNS Server allows an authorized attacker to execute code over a network.
AnalysisAI
Remote code execution in the Windows Server 2025 DNS Server role allows a privileged, authenticated attacker to run arbitrary code over the network by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw carries a CVSS 8.0 rating with a changed scope, meaning successful exploitation can affect resources beyond the vulnerable component. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running the Windows Server 2025 DNS Server role, and the attacker must already hold high privileges against that service (CVSS PR:H) - this is not an unauthenticated internet drive-by. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) describes a network-reachable but genuinely constrained flaw: high attack complexity (AC:H) and high privileges (PR:H) are both required, which sharply narrows the realistic attacker population to someone who already holds elevated authenticated rights against the DNS service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained privileged, authenticated access to a Windows Server 2025 DNS environment sends specially crafted DNS traffic that forces the server to reuse a freed memory object, corrupting execution state to run attacker-controlled code. Reliable exploitation requires winning a memory-timing condition (high attack complexity), so an unreliable attempt is more likely to crash the DNS service (denial of service) than achieve clean code execution. … |
| Remediation | Patch available per vendor advisory: apply the Microsoft security update for CVE-2026-49169 to all Windows Server 2025 systems running the DNS Server role, including Server Core deployments, via the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49169 (the exact patched build is not restated in the provided data - pull it from the advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, begin immediate deployment of the Microsoft-issued patch to all Windows Server 2025 systems running the DNS Server role, prioritizing production DNS infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Windows Server 2025
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Local privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-p
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43981
GHSA-3f5f-3xp4-rx44