Windows Kerberos Denial of Service Vulnerability

MonitorCVSS 6.5CVE-2026-42903Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A null pointer dereference in Windows Kerberos allows an authorized attacker to crash the Kerberos service on domain controllers or member servers, preventing authentication and disrupting network operations. The vulnerability requires valid domain credentials and network access to port 88.

What this means

What could happen

An attacker with valid credentials could crash the Kerberos authentication service on your domain controller or member server, making domain authentication unavailable and disrupting all networked operations that depend on it.

Who's at risk

All organizations running Windows 10 (versions 1607–22H2) or Windows Server (2016–2025) should apply this update. This includes domain controllers, member servers, and any systems performing Kerberos authentication in Active Directory environments.

How it could be exploited

An attacker with valid network credentials sends a specially crafted Kerberos request to a domain controller or member server. The Kerberos service processes the request, hits a null pointer dereference, and crashes. Authentication stops working until the service is restarted.

Prerequisites

Valid domain credentials (user account)
Network access to port 88 (Kerberos)

remotely exploitablerequires valid credentialsaffects authentication infrastructurecould disrupt all domain operations

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (26)

26 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8880

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8880

Windows Server 2019All versionsBuild 10.0.17763.8880

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8880

Windows Server 2022All versionsBuild 10.0.20348.5256

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to port 88 (Kerberos) to domain member systems only, blocking external networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply the 2026-Jun security update to all affected Windows 10 and Windows Server systems

HOTFIXPrioritize patching domain controllers and member servers that run Kerberos services

CVEs (1)

CVE-2026-42903

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e4ef6b1-5dfd-43fb-b99c-23040651599b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.