Windows News
Microsoft has released a security update that patches CVE-2026-42903, a denial-of-service vulnerability in the Kerberos authentication protocol, as part of the June 2026 Patch Tuesday cycle. The flaw, disclosed on June 9, 2026, can allow an unauthenticated remote attacker to disrupt essential Active Directory services by crashing domain controllers. Administrators managing Windows domains must treat this update as a top priority to prevent potential outages.
What Is CVE-2026-42903?
CVE-2026-42903 is a vulnerability in the Windows implementation of Kerberos, the core authentication protocol for Active Directory domains. An attacker can exploit this flaw by sending a specially crafted request to the Kerberos Key Distribution Center (KDC) service, which runs on domain controllers. Successful exploitation causes the KDC service to become unresponsive, effectively halting all authentication within the domain. Microsoft has rated the vulnerability as Important with a CVSSv3 score of 7.5.
The vulnerability stems from improper handling of malformed ticket requests, leading to resource exhaustion. Unlike more aggressive remote-code-execution flaws, this is a pure denial-of-service (DoS) issue, but its impact on business continuity is severe: without a functioning KDC, users cannot log in, services cannot authenticate, and hundreds of dependent processes grind to a halt.
Understanding Kerberos and Its Role in Active Directory
Kerberos is the default authentication protocol for Windows domains since Windows 2000. It relies on a trusted third party—the KDC—to issue tickets that prove the identity of users and services. The KDC is a critical component of every Active Directory domain controller. Any disruption to the KDC service immediately breaks authentication across the entire domain, preventing users from accessing file shares, email, internal web applications, and all other network resources.
Because domain controllers are the linchpin of enterprise identity, they are often targeted by denial-of-service attacks. A single vulnerable domain controller can be taken offline, and if redundant controllers are not configured or are similarly exploitable, the entire authentication infrastructure can collapse.
Technical Details of the Vulnerability
Exploitation Mechanics
CVE-2026-42903 exploits how the KDC parses AS-REQ (Authentication Service Request) messages. An attacker can send a sequence of malformed requests that trigger infinite loops or excessive memory allocation within the KDC process (lsass.exe). The attack does not require prior authentication and can be executed with low network privileges over TCP or UDP port 88.
Microsoft’s advisory notes that the vulnerability is not wormable but can be combined with other network‑based attacks to prolong an outage. The attack vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning low complexity, no user interaction, and a high impact on availability.
Impact on Domain Services
Once the KDC crashes, the immediate effects are:
- User authentication failures – all logon attempts fail, including remote desktop, VPN, and Wi‑Fi 802.1x.
- Service-to-service authentication breaks – SQL Server, Exchange, and other domain-joined applications cannot communicate.
- Trust relationships with other domains or forests become unusable.
- Replication between domain controllers may stall if the primary KDC is also the global catalog server.
In environments with a single domain controller, the outage is total. Even in multi‑DC deployments, an attacker can cycle through targets, making recovery difficult.
Affected Systems and Software
All supported versions of Windows that host the Active Directory Domain Services role are vulnerable. The complete list, according to Microsoft’s June 2026 Security Update Guide, includes:
| Product | Impact |
|---|---|
| Windows Server 2026 | Denial of Service |
| Windows Server 2025 (all editions) | Denial of Service |
| Windows Server 2022 (all editions) | Denial of Service |
| Windows Server 2019 (all editions) | Denial of Service |
| Windows Server 2016 (all editions) | Denial of Service |
| Windows 11 (if Active Directory Lightweight Directory Services role is installed) | Denial of Service |
| Windows 10 (if Active Directory Lightweight Directory Services role is installed) | Denial of Service |
Client operating systems are only affected if they run the KDC service (e.g., via AD LDS). Standard Windows 10/11 installations are not directly vulnerable, but they will be unable to authenticate if the domain controller is compromised.
Severity and CVSS Score
Microsoft’s assigned severity is Important, though many security researchers argue it should be Critical given the operational impact. The CVSS v3.1 vector string is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Base Score: 7.5 (High)
- Temporal Score: Pending exploit availability, but expect higher if proof‑of‑concept code appears.
June 2026 Patch Tuesday: KB Articles and Updates
On June 9, 2026, Microsoft released the following security updates to address CVE-2026-42903:
| Product | Update KB | Required Action |
|---|---|---|
| Windows Server 2026 | KB5062801 | Install Cumulative Update |
| Windows Server 2025 | KB5062802 | Install Cumulative Update |
| Windows Server 2022 | KB5062803 | Install Cumulative Update |
| Windows Server 2019 | KB5062804 | Install Cumulative Update |
| Windows Server 2016 | KB5062805 | Install Cumulative Update |
These updates modify kdcsvc.dll to properly sanitize malformed AS-REQ requests. Applying the patch on all domain controllers is the only complete mitigation.
Mitigation and Workarounds
Apply the Update Promptly
Microsoft strongly recommends installing the June 2026 security updates on every domain controller as soon as possible. The patch is cumulative and includes all previous fixes; it does not require a reboot in most cases if the Active Directory domain services are installed, but a restart is still recommended to ensure the service is replaced.
Temporary Workarounds
If no patch can be deployed immediately, the following measures can partially reduce risk:
- Restrict network access to Domain Controllers – Use firewall rules to allow TCP/UDP port 88 only from trusted subnets. Block access from guest networks, VPN pools, and external interfaces.
- Disable UDP for Kerberos – Setting
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxPacketSizeto1forces all traffic to TCP, which may mitigate some malformed packet attacks. However, this can cause performance issues and is not fully tested against this CVE. - Enable extended protection for authentication – Although this does not directly block the DoS, it reduces the exposure to related relay attacks.
Caution: Workarounds are not a substitute for the security update. Test them carefully in a lab before implementing in production.
Best Practices for Kerberos Security
Beyond patching, organizations should adopt a defense‑in‑depth posture for domain controllers:
- Segment domain controllers into a dedicated management VLAN.
- Limit the number of accounts with administrative access to domain controllers.
- Monitor event logs for anomalous KDC errors (Event ID 14, 37) and unexpected lsass.exe crashes.
- Deploy redundant domain controllers in each site to maintain availability if one is targeted.
- Use Microsoft Defender for Identity to detect Kerberos‑based attacks early.
The Broader Picture: Kerberos Vulnerabilities in 2025–2026
CVE-2026-42903 is the latest in a series of Kerberos‑related security issues that have emerged over the past eighteen months. In 2025, Microsoft patched CVE-2025-29054, a privilege escalation flaw in KDC ticket validation, and CVE-2025-30012, a remote code execution bug in the PAC verification logic. The recurrence of Kerberos flaws highlights the complexity of the protocol and the constant need for rigorous code auditing.
Industry analysts see a worrying trend: denial‑of‑service attacks are increasingly being used as a smokescreen for data exfiltration or extortion. A domain‑wide outage can force a company to pay a ransom to restore service, even if the attacker never penetrated deeper. Consequently, vulnerabilities that “only” crash services are now treated with the same urgency as full compromise bugs.
Conclusion and Call to Action
CVE-2026-42903 demonstrates that a single unpatched domain controller can bring an entire organization to a standstill. Microsoft’s June 2026 Patch Tuesday updates close this door and should be applied without delay. Administrators who cannot patch immediately must implement strict network isolation and monitor for early signs of exploitation.
Key takeaways:
- Patch all domain controllers – this is the only complete fix.
- Treat DoS vulnerabilities as critical – the business impact can be just as damaging as a data breach.
- Adopt a defense‑in‑depth strategy – segmentation, monitoring, and redundancy limit the blast radius of any Kerberos flaw.
For detailed deployment guidance, refer to the Microsoft Security Response Center’s advisory for CVE-2026-42903 and the June 2026 Patch Tuesday summary.