Full Report
May security update trips over hostnames of a very specific length
Analysis Summary
# Vulnerability: Windows Server 2016 DCLocator API Failure (15-Character Hostname Bug)
## CVE Details
- **CVE ID:** N/A (Regressed via KB5087537)
- **CVSS Score:** N/A (Functional bug resulting from security patch)
- **CWE:** CWE-1288 (Improper Validation of Specified Quantity) / Logic Error
## Affected Systems
- **Products:** Windows Server 2016
- **Versions:** OS Build 14393.9140 (following the installation of May 12, 2026, security update KB5087537)
- **Configurations:** Systems where the NetBIOS/hostname is exactly 15 characters in length.
## Vulnerability Description
A regression introduced in the May 2026 cumulative update causes the `DCLocator` process to fail when the server's hostname matches the maximum NetBIOS character limit (15 characters). Specifically, calls to locate a Domain Controller (e.g., via `nltest /dsgetdc`) return `ERROR_INVALID_PARAMETER` (87). This prevents the OS and integrated applications from identifying or communicating with the domain infrastructure.
## Exploitation
- **Status:** Not exploited (This is a functional regression/stability issue).
- **Complexity:** N/A
- **Attack Vector:** Local (Triggered by system configuration).
## Impact
- **Confidentiality:** None.
- **Integrity:** None.
- **Availability:** **High**. Critical administrative services and applications dependent on Domain Controller discovery, such as Distributed File System (DFS) Namespace management, become unavailable or non-functional.
## Remediation
### Patches
- As of the report date, a formal fix is **under investigation** by Microsoft. Users are advised to monitor official support channels for an out-of-band (OOB) update or a fix in the June 2026 cycle.
### Workarounds
- **Rename Hostname:** Change the server hostname to a string that is either shorter or longer than 15 characters (e.g., 14 characters or 16+ characters if using DNS-only labels, though NetBIOS will remain truncated).
- **Uninstall Update:** (Not Recommended) Removing KB5087537 restores functionality but leaves the system vulnerable to the security flaws addressed in the May 2026 update.
## Detection
- **Indicators of Compromise:** N/A (Operational failure).
- **Detection Methods and Tools:**
- Run the command: `nltest /dsgetdc:/pdc` or `nltest /dsgetdc:<DomainName>`.
- If the server has a 15-character name, the command will return `ERROR_INVALID_PARAMETER`.
- Monitor Event Logs for Directory Service discovery failures or DFS Namespace management errors.
## References
- Microsoft Support KB5087537: hxxps[://]support[.]microsoft[.]com/en-gb/topic/may-12-2026-kb5087537-os-build-14393-9140-2ef98591-73f0-4517-9fa0-12764b51858f
- Microsoft Lifecycle - Windows Server 2016: hxxps[://]learn[.]microsoft[.]com/en-us/lifecycle/products/windows-server-2016