External risk intelligence

Active Directory Domain Services Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49164

The vulnerability affects Active Directory Domain Services. While these services are foundational to enterprise networks, they are designed to reside within internal, trusted perimeters and are not intended to be exposed directly to the public internet in standard deployment patterns.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Active Directory Domain Services, a core component of Microsoft's Windows operating system. This flaw, if exploited, could allow an unauthorized attacker to execute arbitrary code over a network, potentially leading to a compromise of critical systems. The main concern is confirming relevance and exposure to your environment.

  • Network attackers can run code remotely.
  • Affects core network identity and access services.
  • Confirm exposure to domain services.

Attack Path

How an attacker could exploit the issue

An attacker could reach and trigger this vulnerability by sending specially crafted requests over a network to Active Directory Domain Services. This could allow an unauthenticated attacker to execute code remotely, potentially leading to a compromise of the targeted system. The vulnerability resides within Active Directory Domain Services, a core component for managing network resources and user access.

  • No authentication required to access.
  • Network requests trigger overflow.
  • Remote code execution capability.

Live Threat

Current exploitation, exposure, and threat context

A heap-based buffer overflow in Active Directory Domain Services allows an unauthorized attacker to execute code over a network. This could lead to the compromise of the affected server, manipulation of directory data, and potentially broader domain compromise.

  • Active Directory Domain Services are at risk.
  • Code execution can occur over a network.
  • Domain-wide compromise is a realistic consequence.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Active Directory Domain Services requires immediate attention from teams responsible for identity and access management, and core infrastructure. The first practical step is to identify all instances of the affected Windows operating systems, confirm their network exposure and business criticality, and then assign an accountable owner for remediation planning.

  • Own by infrastructure and identity teams.
  • Verify AD DS network exposure and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Active Directory Domain Services?

Active Directory Domain Services is a central identity management component built into Microsoft Windows operating systems. It acts as a database and a set of services that organizations use to manage network resources, user accounts, security policies, and computer authentication across their infrastructure. It is fundamental to how Windows-based networks verify who users are and what they are allowed to access.

What does CVE-2026-49164 mean technically?

CVE-2026-49164 is a heap-based buffer overflow, categorized as CWE-122. This weakness occurs when a program writes more data to a specific area of memory (the heap) than that area can hold. Because the software does not properly manage the size of incoming data, the excess information can overwrite adjacent memory, potentially allowing an attacker to inject and execute their own code.

How is this vulnerability triggered?

This flaw is triggered when an attacker sends specially crafted network requests to the Active Directory Domain Services component. Because the service processes these requests, an unauthorized person can reach the vulnerable memory area remotely. It is important to note that the attacker does not need to provide valid credentials or log in to the system to send these malicious requests.

Do I need to worry if my AD is internal?

Halo Surface Signal notes that while this vulnerability allows network-based attacks, Active Directory Domain Services are typically designed for internal, trusted perimeters rather than public exposure. If your domain controllers are not directly accessible from the public internet, the practical risk of external exploitation is significantly reduced. You should focus on verifying your internal network segmentation.

How should I respond to this threat?

Begin by identifying all servers in your environment running the affected Windows versions. Coordinate with your identity and infrastructure teams to verify the network configuration of these assets. Once you have an inventory, confirm which systems are critical to your operations and prioritize them for remediation, ensuring that an owner is assigned to plan and implement the necessary updates.

References