Full Report
May security update trips over hostnames of a very specific length
Analysis Summary
# Vulnerability: Windows Server 2016 DCLocator API Regression (May 2026 Update)
## CVE Details
- **CVE ID**: N/A (Functional Regression / Service Disruption)
- **CVSS Score**: N/A (Likely categorized as Medium impact on Availability)
- **CWE**: CWE-1284: Improper Validation of Specified Quantity (Length Validation Error)
## Affected Systems
- **Products**: Windows Server 2016
- **Versions**: OS Build 14393.9140 (After applying KB5087537)
- **Configurations**: Systems where the NetBIOS/hostname is exactly **15 characters** in length.
## Vulnerability Description
A regression introduced in the May 12, 2026 security update (KB5087537) causes the **DCLocator** process to fail if the server's hostname is exactly 15 characters long.
When an application or service calls functions to locate a domain controller (e.g., via `DsGetDcName`), the system returns `ERROR_INVALID_PARAMETER`. This occurs because 15 characters is the maximum limit for NetBIOS names; the update appears to mishandle the boundary condition where the name reaches this maximum length without a null terminator or during internal buffer validation.
## Exploitation
- **Status**: Not exploited (Functional bug resulting from a patch)
- **Complexity**: Low (Triggered by standard system configuration)
- **Attack Vector**: Local / Network (Triggered by routine administrative tasks and service starts)
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: High. Critical infrastructure services, such as **Distributed File System (DFS) Namespace management**, fail to function. Administrative tools and any application requiring Domain Controller discovery are rendered inoperable.
## Remediation
### Patches
- **Official Fix**: Currently under investigation by Microsoft. No specific "fix-on-fix" patch has been released yet for KB5087537.
### Workarounds
- **Hostname Modification**: Change the server hostname to a string that is either shorter than 15 characters or (if supported) longer (DNS name), though 14 characters or fewer is the safest for NetBIOS compatibility.
- **Rollback**: Uninstalling KB5087537 will resolve the issue but will leave the server vulnerable to the security flaws intended to be fixed by the May update.
## Detection
- **Indicators of Compromise**: N/A (Functional bug)
- **Detection Methods**:
- **Command Line**: Run `nltest /dsgetdc:/pdc`. If the command returns `ERROR_INVALID_PARAMETER`, the system is affected.
- **Log Monitoring**: Check Event Viewer for errors related to "DFS Namespace" or "Domain Controller Discovery" failures following the May 12 update.
- **Inventory**: Audit server inventory for hostnames with a string length of 15.
## References
- **Microsoft Support Advisory**: hxxps[://]support[.]microsoft[.]com/en-gb/topic/may-12-2026-kb5087537-os-build-14393-9140-2ef98591-73f0-4517-9fa0-12764b51858f
- **Microsoft Lifecycle**: hxxps[://]learn[.]microsoft[.]com/en-us/lifecycle/products/windows-server-2016