CVE-2026-45648 – Windows Active Directory Domain Services Remote Code Execution Vulnerability

CVE-2026-45648 is a Critical remote code execution vulnerability in Windows Active Directory Domain Services caused by a stack-based buffer overflow. A domain-authenticated attacker with access to the NSPI RPC interface could send crafted input that triggers memory corruption in the directory service process. Successful exploitation could allow remote code execution without user interaction.

CVSS Score: 8.8
SEVERITY: Critical
THREAT:
This vulnerability threatens Active Directory Domain Services, a core identity and access control component. Any authenticated attacker could potentially trigger the flaw over the network without needing admin privileges or user interaction.

EXPLOITS:
Publicly Disclosed: No.
Exploited: No.
Exploitability Assessment: Exploitation Unlikely.
No public exploit, zero-day exploitation, or proof-of-concept code is confirmed in the provided data.

TECHNICAL SUMMARY:
CVE-2026-45648 is caused by a stack-based buffer overflow, identified as CWE-121, in Active Directory Domain Services. A domain-authenticated attacker with access to the NSPI RPC interface can provide crafted inputs that trigger an out-of-bounds write in the directory service process. This memory corruption may lead to remote code execution. The CVSS v3.1 metrics show network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected software includes Windows Server 2022, Windows Server 2022 Server Core, Windows Server 2025, and Windows Server 2025 Server Core.
Exploitation requires domain authentication and access to the NSPI RPC interface. It does not require administrator privileges or user interaction.

BUSINESS IMPACT:
This vulnerability is dangerous because Active Directory is central to enterprise authentication, authorization, and trust. Successful exploitation could lead to service compromise, identity abuse, data exposure, disruption of authentication services, and broader movement across the Windows domain.

WORKAROUND:
No mitigations or workarounds are listed.
Where patching is delayed, restrict access to domain controllers, monitor NSPI RPC activity, review low-privileged domain accounts, and limit unnecessary network paths to AD DS servers.
URGENCY:
This patch should be prioritized because the vulnerability is Critical, network-accessible, and affects Active Directory Domain Services. Even though exploitation is assessed as unlikely, successful exploitation could place domain infrastructure at serious risk.