Full Report
Out-of-band or out of control? Microsoft has pushed out an out-of-band update to address the restart loop that hit some Windows Server devices after its April update.…
Analysis Summary
# Vulnerability: LSASS Crash and Boot Loop in Windows Server Domain Controllers
## CVE Details
- **CVE ID**: N/A (Functional Regression/Stability Issue introduced by KB5082063)
- **CVSS Score**: N/A (Availability Impact)
- **CWE**: CWE-404: Improper Shutdown or Release of Resource (Leading to LSASS instability)
## Affected Systems
- **Products**: Windows Server
- **Versions**: Windows Server 2016, 2019, 2022, 2025
- **Configurations**: Domain Controllers (DCs) in environments with multiple domains in a forest that utilize Privileged Access Management (PAM).
## Vulnerability Description
Following the installation of the April 2026 security update (specifically KB5082063), the Local Security Authority Subsystem Service (LSASS) suffers a critical failure during the system startup sequence. Because LSASS is responsible for enforcing security policies and handling user logins, its crash forces a system restart. In the described environment configurations, this results in a continuous "restart loop," effectively disabling authentication services and directory accessibility for the entire domain.
## Exploitation
- **Status**: Not exploited (Issue is a vendor-introduced regression/bug).
- **Complexity**: Low (Triggered automatically by system reboot post-patching).
- **Attack Vector**: Local (System-level service failure).
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: **High** (Renders Domain Controllers and dependent network resources offline).
## Remediation
### Patches
Microsoft has released out-of-band (OOB) updates to resolve the LSASS crash and restart loop:
- **Windows Server 2022**: KB5091575 (OS Build 20348.5024)
- **Other versions**: Hotpatches and OOB updates are available for Windows Server 2016 through 2025 via the Windows Update Catalog and standard update channels.
### Workarounds
- **Recovery Key**: For separate issues involving BitLocker recovery prompts triggered by the same April update, administrators should ensure they have access to BitLocker recovery keys.
- **Rollback**: Uninstalling the initial April security update (KB5082063) if the OOB fix cannot be immediately applied, though this leaves the system vulnerable to the security flaws intended to be fixed by the April patch.
## Detection
- **Indicators of compromise**: Not applicable; look for **Event ID 1001** (BugCheck) or LSASS termination errors in System Event Logs.
- **Detection methods and tools**:
- Monitor Domain Controllers for unexpected "Stop" errors or infinite reboot cycles.
- Check for failed authentication requests across the network forest.
## References
- Microsoft Release Health: hxxps[://]learn[.]microsoft[.]com/en-us/windows/release-health/windows-message-center#4835
- Windows Server 2025 Status: hxxps[://]learn[.]microsoft[.]com/en-gb/windows/release-health/status-windows-server-2025#4833msgdesc
- OOB Update KB5091575: hxxps[://]support[.]microsoft[.]com/en-us/topic/april-19-2026-kb5091575-os-build-20348-5024-out-of-band-4a5a784e-e50a-4358-8093-b1654aecdbd1