Description
Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network.
Published: 2026-02-10
Score: 7.5 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a null pointer dereference in the Lightweight Directory Access Protocol component of Windows Server. When an LDAP request is processed incorrectly, the flaw causes the LDAP service to crash, resulting in a denial of service. Because the vulnerability requires no authentication or special privileges, any remote actor able to send LDAP traffic to the target can trigger the crash and temporarily render the directory service unavailable.

Affected Systems

The vulnerability affects Microsoft Windows Server 2019, Windows Server 2019 Server Core, Windows Server 2022, Windows Server 2022 Server Core, Windows Server 2022 23H2, Windows Server 2025, and Windows Server 2025 Server Core installations.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. The EPSS score of 1% suggests exploitation is low but not negligible. The flaw is not listed in CISA’s KEV catalog, meaning no confirmed widespread exploitation at this time. Attackers can exploit it remotely over LDAP traffic without authentication, so any host that accepts LDAP requests from an adversary could experience service interruption. While no specific payload format is detailed, the lack of authentication and the presence of a null pointer dereference imply that a crafted LDAP request can trigger the crash irrespective of the target’s role or configuration.

Generated by OpenCVE AI on June 18, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses the LDAP service null pointer dereference.
  • Restart the Windows LDAP service to ensure the update takes effect.
  • Configure firewall rules to restrict LDAP traffic to trusted sources only.

Generated by OpenCVE AI on June 18, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Wed, 11 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows Server 2022 23h2

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network.
Title Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-476
CPEs cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2022 23h2 Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-11T21:25:44.272Z

Reserved: 2025-12-11T21:02:05.735Z

Link: CVE-2026-21243

cve-icon Vulnrichment

Updated: 2026-02-11T15:27:54.095Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:25.480

Modified: 2026-06-17T10:18:20.897

Link: CVE-2026-21243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses