Windows Server: Fix for (Kerberos) LSASS memory leak through March 2024 updates

Windows[German]On March 22, 2024, Microsoft released a special update with a fix for Windows Server that eliminates an LSASS memory leak caused by the March 2024 updates. I had reported here in the blog that on some systems Kerberos requests on domain controllers fill up the memory. The servers then experience performance problems or even fail and have to be restarted sporadically. This problem is to be resolved by the special updates for both local and cloud-based Active Directory DLCs. There is no fix for Windows Server 2019 yet. Addendum: The fix for Server 2019 is available since March 25, 2024.


Note and confirmation of the problem

I had reported the problem in the blog post Windows Server: March 2024 update causes LSASS memory leak on DCs because there were corresponding user reports in the blog. Since the March 2024 security update from March 12, 2024 was installed on Windows Server systems, various users have been experiencing problems. A memory leak in LSASS leads to performance problems on domain controllers (DC) on all Windows Server variants after some time. Strangely enough, this effect was not observed on all systems, as users reported

Microsoft then confirmed this bug on March 20, 2024 in the know issues section of Windows Server. Microsoft stated at the time that a memory leak could occur in the Local Security Authority Subsystem Service (LSASS) on domain controllers (DCs) after installing the March 12, 2024 security updates. This is caused when local and cloud-based Active Directory domain controllers serve Kerberos authentication requests.

The memory leak can become so extreme that it causes LSASS to crash, triggering an unplanned reboot of the underlying domain controllers (DCs). According to Microsoft, it only affects environments in organizations using Windows Server platforms with the following Windows variants.

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2

Microsoft stated in the support article that the cause has now been identified and the developers are working on a solution "which should be released in the next few days".

Microsoft provides a fix

As of March 22, 2024, Microsoft has expanded the support article Issue with Kerberos requests on domain controllers may cause LSASS memory leaks in the Know Issues section for various Windows Server versions to report the problem as "fixed". The memory leak will be fixed by special updates that are only available via Microsoft Update Catalog. For Windows Server 2022 it says:


This issue has been fixed with the out-of-band (OOB) update KB5037422, which is only available via Microsoft Update Catalog.

Microsoft strongly recommends that administrators do not apply the March 12, 2024 security update to Windows servers acting as domain controllers (DC). Instead, administrators should apply the special update published on March 22, 2024 via the Microsoft Update Catalog. As this is a cumulative update, the security update from March 12, 2024 or an earlier update does not need to be installed. At the time of writing this blog post, Microsoft has released the following special updates:

With the exception of Windows Server 2019, a fix for the memory leak is therefore available. Addendum: The fix for Windows Server 2019 has been available in the Microsoft Update Catalog since March 25, 2024.

To receive the out-of-band update from March 22, 2024 (or later for Windows Server 2019), Microsoft states to search for the relevant package (Out-of-Band Update, OOB) in the Microsoft Update Catalog. The OOB update can then be installed manually or imported and rolled out in Windows Server Update Services (WSUS) and Configuration Manager. Instructions on how to import the special update into WSUS can be found, for example, in the support article WSUS and the Microsoft Update Catalog.

Similar articles:
Microsoft Security Update Summary (March 12, 2024)
Patchday: Windows 10-Updates (March 12, 2024)
Patchday: Windows 11/Server 2022-Updates (March 12, 2024)
Windows Server 2012 / R2 and Windows 7 (March 12, 2024)
Windows 10/Server 2019: Update KB5035849 fails with error 0xd0000034
Windows Server: March 2024 update causes LSASS memory leak on DCs

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

5 Responses to Windows Server: Fix for (Kerberos) LSASS memory leak through March 2024 updates

  1. msfis says:

    das PME zeigt bei uns das Update "2024-03 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5037423)[Out-of-Band]" auch für z.b. Server 2016 an, welche keine Domain Controller Rolle haben, hat es jemand bereits installiert? Was ist hier die Empfehlung?

    • guenni says:

      Eine Frage auf Deutsch gehört in den deutschsprachigen Blog – ist ja am Artikelanfang verlinkt.

  2. Dean says:

    Hi. Microsoft has released an out-of-band patch for Windows Server 2019 as well ( KB503742).

  3. anond says:

    Server 2016, OOB KB5037423 installed fine. lsass.exe chewing up 20+gb of memory and had to hard bounce the server. Any thought? Anyone else?

Leave a Reply

Your email address will not be published. Required fields are marked *