Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Description

Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.

Affected Products

Vendor	Product	Versions
Microsoft	Windows 10 Version 1607	10.0.14393.0, 10.0.17763.0, 10.0.19044.0, 10.0.19045.0, 10.0.22631.0, 10.0.22631.0, 10.0.26100.0, 10.0.26200.0, 10.0.28000.0, 10.0.14393.0, 10.0.14393.0, 10.0.17763.0, 10.0.17763.0, 10.0.20348.0, 10.0.25398.0, 10.0.26100.0, 10.0.26100.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
microsoft	windows 10 version	mitre_affected	90%
microsoft	windows 11 version 22h3	mitre_affected	90%
microsoft	windows 11 version 26h1	mitre_affected	90%
microsoft	windows	mitre_affected	90%
microsoft	windows server 2016 (server core installation)	mitre_affected	90%

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32071(vendor-advisory, patch)

Related News (2 articles)

Tier C

VulDB4h ago

CVE-2026-32071 | Microsoft Windows up to Server 2025 Local Security Authority Subsystem Service null pointer dereference

→ No new info (linked only)

Tier A

Microsoft MSRC8h ago

CVE-2026-32071 Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

10.0.14393.906010.0.17763.864410.0.19044.718410.0.19045.718410.0.22631.693610.0.26100.3269010.0.26200.824610.0.28000.183610.0.20348.502010.0.25398.2274

CWECWE-476

PublishedApr 14, 2026

Last enriched4h agov3