CVE-2026-47288: Windows Kerberos Key Distribution Center (KDC) Remote Code Execution
Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 11
HarborGuard Analysis
Synopsis
An integer overflow in Windows Kerberos (the Key Distribution Center component) allows an attacker with a low-privilege account on the same network segment to execute arbitrary code on the target host. The flaw is reachable over an adjacent network (LAN, VPN, or similar), requires a valid low-privilege credential, and does not need any victim interaction. Successful exploitation gives the attacker full control over the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows Server releases.
HarborGuard Coverage
Detection of CVE-2026-47288 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and CI/CD pipelines, including custom-built Windows Server base images. Coverage extends to all eight affected product ranges listed in the advisory.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency. Findings are routed automatically to the appropriate team inbox within each customer organization based on policy-defined ownership rules.
AvailablePatched-image rebuilds at the fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, and 10.0.20348.5256) are available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityDetail
The attacker must be on an adjacent network such as a LAN, VPN segment, or similar layer-2 or layer-3 boundary; remote exploitation over the open internet is not possible.
- AuthenticationRequired
A low-privilege account is sufficient; the attacker must authenticate to the Kerberos service with any valid domain credential before the overflow is reachable.
- Victim interactionNot required
No action by a logged-in user or administrator is needed; the attacker can trigger the overflow through their own requests to the KDC.
- Attack complexityDetail
Attack complexity is high, meaning the exploit depends on specific environmental conditions such as race conditions or memory layout factors that the attacker cannot fully control and may require repeated attempts.
Blast Radius
- The attacker executes arbitrary code in the context of the KDC service process, gaining the ability to run any command on the Domain Controller hosting it.
- All Kerberos ticket issuance and authentication for the domain passes through the KDC, so a compromised KDC exposes stored Kerberos secrets, ticket-granting ticket keys, and cached credential material.
- The attacker can forge Kerberos tickets (golden ticket scenario), granting persistent authenticated access to any service in the domain without valid credentials.
- The KDC process and its host can be crashed or made unavailable, blocking domain authentication for all users and services that rely on that Domain Controller.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of the CVE being published, matching against all Windows Server images in customer registries and pipelines. Patched-image rebuilds at the five fix versions are available for any environment running an affected release (Windows Server 2012 through 2019, including Server Core variants). For customers who opt into auto-remediation, HarborGuard can rebuild the image at the patched version, run a regression test, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS context and fix-version details so the owning team can act manually. Given that exploitation requires adjacent-network access and a valid credential, customers should also consider network policy rules that restrict which hosts can reach KDC ports (TCP/UDP 88) as a compensating control until the patched image is deployed.
Fix available
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C