CVE-2026-41108: Windows DNS Client Elevation of Privilege Vulnerability
Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A heap-based buffer overflow in the Microsoft Windows DNS client allows a local attacker to elevate privileges on the affected host. The vulnerability is reachable locally and requires a low-privilege account; no interaction from another user is needed. Successful exploitation gives the attacker full control over the host, including the ability to read, modify, or destroy any data and crash running services. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection of CVE-2026-41108 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Microsoft and NVD feeds. Coverage extends to custom-built Windows container images alongside images pulled from public and private registries.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.0 (High) and applying per-environment compliance policy weighting to determine urgency before routing findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at the applicable fix version (up to 10.0.26100.8655 for Windows 11 24H2 and the corresponding builds for each affected release) becomes available on HarborGuard once upstream packages are published. For customers who opt into auto-remediation, HarborGuard is capable of running a regression test suite and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to attempt exploitation; no administrative credentials are needed.
- Victim interactionNot required
The attacker can trigger the overflow entirely on their own without any action from another user.
- Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must meet specific conditions such as timing constraints, memory layout requirements, or other environmental factors that are not always guaranteed.
Blast Radius
- A successful attacker gains full read access to all data on the host, including credentials, session tokens, and application secrets stored in memory or on disk.
- The attacker can write or modify any file and data on the system, including security policy configuration and audit logs.
- The attacker can terminate or crash any running process or service on the host, causing a local denial of service.
- Because all three impact dimensions are rated High, the attacker effectively achieves full local system compromise from a standard user account.
How HarborGuard Handles This
Available on HarborGuard: once Microsoft publishes updated Windows base-layer packages at the fix versions listed for each affected release, HarborGuard is capable of making a patched-image rebuild available for any customer image that layers on an affected Windows version. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute a regression test run, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS context and fix-version guidance so teams can act manually. Until images are rebuilt, compensating controls worth considering include restricting interactive shell access to container workloads via Kubernetes admission policies and auditing which service accounts carry local administrator rights inside Windows containers.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C