HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45648Published Modified CNA microsoft

CVE-2026-45648: Windows Active Directory Domain Services Remote Code Execution Vulnerability

Stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
10.0.20348.5256
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stack-based buffer overflow in Windows Active Directory Domain Services allows a network-reachable attacker with a low-privilege account to execute arbitrary code on affected domain controllers. The vulnerability is exploitable over the network without victim interaction, and successful exploitation gives the attacker full control of the target system, including read, write, and crash capabilities. Patched-image rebuilds at versions 10.0.20348.5256 and 10.0.26100.32995 are available on HarborGuard for environments running affected versions of Windows Server 2022 or Windows Server 2025.

HarborGuard Coverage

Detection

Detection of CVE-2026-45648 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that include the affected Windows Server base layers, not just official Microsoft images.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting findings against each customer environment's compliance policy before routing alerts to the appropriate team inbox. Per-environment policy configuration determines escalation priority and assignment within each customer org.

Available
Patch

For environments running a vulnerable version of Windows Server 2022 or 2025, a patched-image rebuild at the applicable fix version (10.0.20348.5256 or 10.0.26100.32995) becomes available through HarborGuard once the upstream update is ingested. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Active Directory Domain Services endpoint over the network; the service must be exposed to the attacker's network segment.

  • AuthenticationRequired

    Any low-privilege domain account is sufficient; no administrative or elevated credentials are needed to trigger the overflow.

  • Victim interactionNot required

    The attacker does not need to trick or involve any user to carry out the exploit.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or unusual environmental factors are required.

Blast Radius

  • Reads sensitive Active Directory data, including credential material, account hashes, and directory objects stored on the domain controller.
  • Modifies directory objects, group memberships, and access-control entries, enabling persistent privilege escalation across the domain.
  • Crashes the Active Directory Domain Services process, disrupting authentication and authorization for every system in the domain.
  • Full remote code execution on the domain controller gives the attacker a foothold to pivot laterally to other domain-joined hosts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45648 is active across all connected registries and pipelines, matching images against both fix versions (10.0.20348.5256 for Windows Server 2022 and 10.0.26100.32995 for Windows Server 2025 and Server Core). Where compliance policy permits, HarborGuard can trigger a patched-image rebuild the moment the updated base layer is ingested, then run a regression test pass and open a PR against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with fix-version details so engineering teams can prioritize the update manually. Given the scope of a domain controller compromise, network-policy controls that restrict which hosts can reach Active Directory services on TCP/UDP 389 and 636 are a practical compensating control while patching is scheduled.

See how HarborGuard automates this

Fix available

10.0.20348.525610.0.26100.32995
Patch commits
Affected packages
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References