May 14, 2024— KB5037848 (OS Build 20348.2458)

2024-05-1407:00:00

Microsoft

support.microsoft.com

101

security update

nsec3 validation

dns server

domain controllers

ntlm authentication

windows update

microsoft update catalog

wsus

cumulative update

servicing stack update

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.008 Low

EPSS

Percentile

81.1%

Improvements and fixes

This security update includes quality improvements. When you install this KB:

This update affects next secure record 3 (NSEC3) validation in a recursive resolver. Its limit is now 1,000 computations. One computation is equal to the validation of one label with one iteration. DNS Server Administrators can change the default number of computations. To do this, use the registry setting below.
- Name: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\MaxComputationForNsec3Validation
- Type: DWORD
- Default: 1000
- Max: 600
- Min: 1
This update addresses an issue that might affect domain controllers (DC). NTLM authentication traffic might increase.
If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

Before installing this updateMicrosoft now combines the latest servicing stack update (SSU) for your operating system with the hotpatch update. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update or Windows Server Update Services (WSUS), the latest SSU will be installed with this update.Install this updateRelease Channel	Available	Next Step
Windows Update	Yes	None. This update will be downloaded and installed automatically from Windows Update.
Microsoft Update Catalog	No	To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)	Yes	This update will automatically sync with WSUS if you configure Products and Classifications as follows:Product: Windows Server 2022 Datacenter: Azure Edition HotpatchClassification: Security Updates
File informationFor a list of the files that are provided in this update, download the file information for cumulative update 5037848.For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2461.