CVE-2026-21243 - Vulnerability Details

- Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Description

Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network.

Published: 2026-02-10

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference in the Windows Lightweight Directory Access Protocol (LDAP) component allows an unauthorized attacker to trigger a service crash that renders the LDAP service unavailable. The flaw arises from improper handling of a null pointer and can be exploited by sending specially crafted LDAP requests.

Affected Systems

Microsoft Windows Server 2019, Windows Server 2019 Server Core, Windows Server 2022, Windows Server 2022 Server Core, Windows Server 2022 23H2, Windows Server 2025, and Windows Server 2025 Server Core installations are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% shows a low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation is inferred to occur remotely over the network by an unauthorized actor issuing crafted LDAP requests, which would cause the LDAP service to crash and deny availability to legitimate users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Windows Server 2019

affected

Version	Status	Constraints
`10.0.17763.0`	affected	< 10.0.17763.8389

Microsoft

Windows Server 2019 (Server Core installation)

affected

Version	Status	Constraints
`10.0.17763.0`	affected	< 10.0.17763.8389

Microsoft

Windows Server 2022

affected

Version	Status	Constraints
`10.0.20348.0`	affected	< 10.0.20348.4773

Microsoft

Windows Server 2022, 23H2 Edition (Server Core installation)

affected

Version	Status	Constraints
`10.0.25398.0`	affected	< 10.0.25398.2149

Microsoft

Windows Server 2025

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.32370

Microsoft

Windows Server 2025 (Server Core installation)

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.32370

Configuration 1 [-]

OR	cpe:2.3:o:microsoft:windows_server_2019::::::::
	cpe:2.3:o:microsoft:windows_server_2022::::::::
	cpe:2.3:o:microsoft:windows_server_2022_23h2::::::::
	cpe:2.3:o:microsoft:windows_server_2025::::::::

No data.

Vendor Product Confidence Versions

Microsoft

Windows Server 2019

—

Version	Status	Scheme	Platform
`[10.0.17763.0,10.0.17763.8389)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2019 (server Core Installation)

—

Version	Status	Scheme	Platform
`[10.0.17763.0,10.0.17763.8389)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2022

—

Version	Status	Scheme	Platform
`[10.0.20348.0,10.0.20348.4773)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2022, 23h2 Edition (server Core Installation)

—

Version	Status	Scheme	Platform
`[10.0.25398.0,10.0.25398.2149)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2025

—

Version	Status	Scheme	Platform
`[10.0.26100.0,10.0.26100.32370)`	affected	generic	['x64-based_systems']

Microsoft

Windows Server 2025 (server Core Installation)

—

Version	Status	Scheme	Platform
`[10.0.26100.0,10.0.26100.32370)`	affected	generic	['x64-based_systems']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any Microsoft security update that addresses CVE-2026-21243
Restart the Windows LDAP service to ensure the patch takes effect
Restrict LDAP traffic to trusted IP ranges using firewall rules

Generated by OpenCVE AI on April 15, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0009.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21243

History

Thu, 12 Feb 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows Server 2019 (server Core Installation) Microsoft windows Server 2022, 23h2 Edition (server Core Installation) Microsoft windows Server 2025 (server Core Installation)
Vendors & Products		Microsoft windows Server 2019 (server Core Installation) Microsoft windows Server 2022, 23h2 Edition (server Core Installation) Microsoft windows Server 2025 (server Core Installation)

Wed, 11 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows Server 2022 23h2
CPEs		cpe:2.3:o:microsoft:windows_server_2022_23h2::::::::
Vendors & Products		Microsoft windows Server 2022 23h2

Wed, 11 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network.
Title		Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
First Time appeared		Microsoft Microsoft windows Server 2019 Microsoft windows Server 2022 Microsoft windows Server 2025 Microsoft windows Server 23h2
Weaknesses		CWE-476
CPEs		cpe:2.3:o:microsoft:windows_server_2019:::::::: cpe:2.3:o:microsoft:windows_server_2022:::::::: cpe:2.3:o:microsoft:windows_server_2025:::::::: cpe:2.3:o:microsoft:windows_server_23h2::::::::
Vendors & Products		Microsoft Microsoft windows Server 2019 Microsoft windows Server 2022 Microsoft windows Server 2025 Microsoft windows Server 23h2
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21243
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2022 23h2 Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-02-10T17:51:43.963Z

Updated: 2026-04-10T13:21:29.930Z

Reserved: 2025-12-11T21:02:05.735Z

Link: CVE-2026-21243

Vulnrichment

Updated: 2026-02-11T15:27:54.095Z

NVD

Status : Analyzed

Published: 2026-02-10T18:16:25.480

Modified: 2026-02-11T20:41:23.863

Link: CVE-2026-21243

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object