Share
## https://sploitus.com/exploit?id=393A755A-8E32-59DA-B6AC-2DE1A68B3BB0
# LongLogon · CVE-2026-41089

[![CVE-2026-41089 · NVD](https://img.shields.io/badge/CVE--2026--41089-NVD-1f6feb?style=flat-square&labelColor=24292f)](https://nvd.nist.gov/vuln/detail/CVE-2026-41089)
[![MSRC advisory](https://img.shields.io/badge/MSRC-advisory-005a9e?style=flat-square&labelColor=24292f)](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089)
![CVSS 3.1 9.8](https://img.shields.io/badge/CVSS_3.1-9.8-d11a2a?style=flat-square&labelColor=24292f)
![CWE-121 stack buffer overflow](https://img.shields.io/badge/CWE--121-stack_buffer_overflow-f08c00?style=flat-square&labelColor=24292f)

![checker · non-destructive](https://img.shields.io/badge/checker-non--destructive-2ea043?style=flat-square&labelColor=24292f)
![unauthenticated · pre-auth](https://img.shields.io/badge/vector-unauthenticated-1AA0AE?style=flat-square&labelColor=24292f)
[![run with uv](https://img.shields.io/badge/run-uv-261230?style=flat-square&labelColor=24292f)](https://docs.astral.sh/uv/)
![MIT license](https://img.shields.io/badge/license-MIT-3fb950?style=flat-square&labelColor=24292f)

> **LongLogon** is an unauthenticated, non-destructive **precondition checker** for
> **CVE-2026-41089**, a pre-auth stack buffer overflow in the Windows **Netlogon**
> service. With no credentials, and without sending the overflow, it reports whether
> a domain controller's DNS domain name is long enough for the bug to crash it.

![LongLogon checking a domain controller](assets/longlogon.gif)

## What CVE-2026-41089 is

A stack-based buffer overflow (CWE-121, CVSS 9.8) in the Netlogon DC-locator path
`NlGetLocalPingResponse` → `BuildSamLogonResponse` → `NetpLogonPutUnicodeString`.
Answering a CLDAP or MAILSLOT ping, the DC serializes its own forest, domain, and
host names plus a small attacker-controlled string into a fixed **528-byte stack
buffer** (`ushort local_258[264]`), with the stack cookie immediately after it. When
the **server's own DNS names are long enough**, the cumulative write reaches the
buffer end, the trailing `L'\0'` terminator overruns the cookie, `__report_gsfailure`
fires, and `lsass.exe` dies with `STATUS_STACK_BUFFER_OVERRUN` (`0xc0000409`). The
domain controller reboots. Unauthenticated, one UDP packet.

Where **Zerologon** (CVE-2020-1472) abused an all-**zero** challenge, **LongLogon**
abuses a pathologically **long** domain name.

## What this tool checks, and what it does not

`longlogon.py` is **non-destructive**. It sends benign CLDAP pings with a minimal
`User` field, measures the legacy-builder response, and reports whether the
**overflow precondition** holds: whether this DC's domain is long enough that an
*unpatched* DC would crash.

It does **not**:

- send the overflow or crash anything, and
- determine **patch state**. A patched DC takes the *identical* code path and refuses
  the over-long write, so you cannot tell patched from unpatched over the wire on a
  normally-named DC.

Knowing which of your DCs are actually patched needs a credentialed (admin) version
check across the fleet. That is the kind of thing ADscan automates in an engagement
(see below).

## Why almost every real DC is safe

The only attacker-controlled bytes that reach the buffer come from the CLDAP `User`
filter, bounded to **130 wide chars**, far short of the 528-byte buffer on their own.
The bytes that carry the cursor onto the cookie are the **server's own names**, which
the attacker does not control. A default-named DC (`corp.local`) cannot be crashed.
That is why Microsoft rates it **"Exploitation Less Likely."** In a lab, the minimum
DNS domain length to crash Windows Server 2016 (with a 7-char host name) was
**98 characters**.

## Usage

With [uv](https://docs.astral.sh/uv/), zero setup. Dependencies are declared inline
(PEP 723), so this auto-installs `rich` in an ephemeral environment:

```bash
uv run longlogon.py  
```

Or with pip:

```bash
pip install rich
python3 longlogon.py  
```

The DNS domain must match what the DC serves. It is not secret: rootDSE, reverse DNS,
and CLDAP itself all reveal it. The output is a precondition verdict plus the
per-field buffer-fill math.

**NtVer routing matters.** The vulnerable legacy `BuildSamLogonResponse` is only
reached when `(NtVer & 0xc) == 0` and `(NtVer & 0x2) != 0`. Public exploit attempts
that send `NtVer=0x16` or `0x06` set bit 2 (`0x4`) and hit the bounded-safe
`BuildSamLogonResponseEx`, so they never trigger the bug. LongLogon uses `0x02`.

## Affected builds

Unpatched Windows Server domain controllers, 2012 R2 through 2025. First patched
builds:

| Windows Server | First patched build |
| :--- | :--- |
| 2016 | `10.0.14393.9140` |
| 2019 | `10.0.17763.8755` |
| 2022 | `10.0.20348.5074` |
| 2022 23H2 | `10.0.25398.2330` |
| 2025 | `10.0.26100.32772` |

## Responsible use

For **authorized** security research and defensive validation only. This repository
ships the **non-destructive precondition checker**, not a weaponized crasher, for an
actively-exploited, wormable CVE. Patch your domain controllers.

## Take it further

- **Full research write-up:** how the bug was located by patch-diffing, the exact
  buffer mechanics, and why the public PoCs do not fire.
  https://adscanpro.com/blog/patch-diffing-cve-2026-41089-netlogon
- **ADscan LITE** (free, open source): Active Directory pentesting from one terminal.
  Enumeration, BloodHound collection, Kerberoasting, ADCS, attack paths, evidence.
  https://github.com/ADScanPro/adscan
- **ADscan PRO:** the same kill-chain automation for teams running AD engagements.
  https://adscanpro.com/pro

---

Research by Yeray Martín Domínguez · ADscan · CVE-2026-41089 · Netlogon ·
Active Directory · domain controller · stack buffer overflow · CLDAP ·
unauthenticated · pre-auth · proof of concept