CVE-2026-49164 – Windows Active Directory Domain Services Remote Code Execution Vulnerability

CVSS 8.1 IMPORTANT Critical or Zero Day – Immediate Deployment

“When attackers can target the heart of identity management, the entire enterprise is placed at risk.”

A heap-based buffer overflow vulnerability in Windows Active Directory Domain Services (AD DS) allows an unauthorized attacker to execute arbitrary code over the network. Although successful exploitation requires a high level of attack complexity, no authentication or user interaction is required. Microsoft has released security updates to address this vulnerability across affected Windows client and server platforms.

CVSS Score: 8.1

SEVERITY: Critical

THREAT:
This vulnerability affects Windows Active Directory Domain Services, a core component of enterprise identity and authentication. An attacker can exploit a heap-based buffer overflow to execute arbitrary code remotely over the network without requiring authentication. If successfully exploited, the vulnerability could allow complete compromise of the affected system, making domain infrastructure a high-value target.

EXPLOITS:
At the time of publication, the vulnerability has not been publicly disclosed and Microsoft has not detected active exploitation. Microsoft assesses exploitation as unlikely due to the high attack complexity required. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the provided information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow (CWE-122) in Windows Active Directory Domain Services. By sending specially crafted network requests, an attacker may trigger memory corruption that leads to arbitrary code execution. Although exploitation requires additional preparation of the target environment, as reflected by the High attack complexity rating, successful exploitation can result in high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include Windows 10 Versions 1607, 1809, 21H2, and 22H2, Windows 11 Versions 24H2, 25H2, and 26H1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including the listed Server Core installations. Exploitation is performed over the network and requires no privileges and no user interaction, but does require additional preparation of the target environment.

BUSINESS IMPACT:
Active Directory Domain Services is central to authentication and access control in Windows environments. A successful remote code execution attack against AD DS could allow attackers to compromise identity infrastructure, execute malicious code, disrupt authentication services, steal sensitive information, and potentially gain control over critical enterprise resources. Organizations should treat vulnerabilities affecting domain services as high priority because of their potential to impact the entire network.

WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends deploying the appropriate security updates to all affected systems.

URGENCY:
This vulnerability should be deployed urgently because it is rated Critical with a CVSS v3.1 base score of 8.1. While Microsoft considers exploitation unlikely due to the high attack complexity, the vulnerability allows unauthenticated remote code execution against Active Directory Domain Services. Prompt patching is recommended to protect one of the most critical components of enterprise infrastructure.

Key Details

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-122
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.