Dr. Christopher Kunz3d ago
So CVE-2026-41089 (CVSS 9.8) in Windows Netlogon can be triggered by sending a username that is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA or longer.
How original.
Show threadWill Dormann1d ago
@christopherkunz
Reference?
Show threadDr. Christopher Kunz1d ago
@wdormann https://github.com/0xABCD01/CVE-2026-41089/blob/main/poc.py#L234
CVE-2026-41089/poc.py at main · 0xABCD01/CVE-2026-41089

CVE-2026-41089 PoC — Netlogon CLDAP stack buffer overflow (CVSS 9.8 CRITICAL) - 0xABCD01/CVE-2026-41089

GitHub
Show threadWill Dormann16h ago

@christopherkunz
Ah, so you've confirmed that it works?
With AI and clout seeking these days, we've long passed the "PoC exists on Github" thing having any meaning whatsoever. 😂

Personally, I couldn't get that one to do anything.

Show threadDr. Christopher Kunz16h ago
@wdormann https://chaos.social/@christopherkunz/116676523296824499
Show threadWill Dormann16h ago
@christopherkunz
Yeah, I've seen what it claims to do.
But either they are hand-waving over a critical requirement of what it takes to repro, or it's fake.
Show threadDr. Christopher Kunz16h ago
@wdormann This writeup *seems* to make sense, were it not for the magic two letters in the TLD: https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/
CVE-2026-41089 — Microsoft Windows Netlogon BuildSamLogonResponse Stack-based Buffer Overflow RCE

1. Overview A stack-based buffer overflow vulnerability exists in the Windows Netlogon service’s DC locator ping response handler. When a domain controller processes a CLDAP search request, it serializes response data including attacker-supplied and server-side strings into a fixed-size stack buffer without adequate bounds checking. An unauthenticated remote attacker can send a single crafted CLDAP packet to a domain controller’s UDP port 389, causing the Netlogon service to crash the LSASS process and force the domain controller to reboot. The exploitability depends on the target domain controller’s DNS naming configuration — domain controllers with longer DNS domain names and hostnames are vulnerable. Microsoft addressed this vulnerability in the May 2026 security update.

Aretiq AI
Show threadWill Dormann16h ago

@christopherkunz
😂

I miss the days when things like this were written by humans, using logic and facts. As opposed to statistically plausible slop.

Show threadDr. Christopher Kunz16h ago
@wdormann From what I read in the writeup (and the sparse other sources), you need a long enough DNS name on the victim host to trigger the overflow. I think 54 chars or more? This github has a possible explanation why the PoC fails under most normal conditions: https://github.com/ADScanPro/CVE-2026-41089-LongLogon
GitHub - ADScanPro/CVE-2026-41089-LongLogon: CVE-2026-41089 checker: unauthenticated, non-destructive detection for the Netlogon CLDAP stack buffer overflow (CVSS 9.8). Reports whether a domain controller's domain is long enough to crash, without sending the overflow. The binary-verified analysis the public PoCs got wrong.

CVE-2026-41089 checker: unauthenticated, non-destructive detection for the Netlogon CLDAP stack buffer overflow (CVSS 9.8). Reports whether a domain controller's domain is long enough to crash,...

GitHub
Show threadWill Dormann15h ago
@christopherkunz
Yes, my test environments (unpatched Server 2016, 2022, and 2025) all had a maximum DNS suffix of 64 chars. (Longer isn't allowed)
tehfishman14h ago
Show threadWill Dormann

@christopherkunz
I also tested another PoC and it was even more fake. i.e. it didn't even create a CLDAP structure that made sense.

I get that PoC||GTFO is a thing, but we've clearly entered a phase where it needs to be Verified PoC||GTFO. 🤦‍♂️

1:31pmWeb
Show threadDr. Christopher Kunz14h ago
@wdormann Of all the writeups, I think I like this one best, especially with it having a human name in the byline: https://adscanpro.com/blog/patch-diffing-cve-2026-41089-netlogon
"read advisories carefully before deciding how to allocate research time." made me chuckle.
Patch Diffing CVE-2026-41089: Locating the Netlogon Bug in 4 Hours Without a Public PoC

Walkthrough of how to bindiff a Patch Tuesday Windows CVE end-to-end — from MSU acquisition to function-level bug identification. CVE-2026-41089 (Netlogon pre-auth RCE) as the running example. Methodology, tooling, and the honest limits of trigger development without weeks of exploit engineering.

Show threadcR0w14h ago
@christopherkunz @wdormann Here's a new one to take a look at. I haven't gone through it and can't vouch for its legitimacy, but y'all know what you're doing more than I do anyway: https://github.com/Vanquishermacdetach/CVE-2026-41089-509
GitHub - Vanquishermacdetach/CVE-2026-41089-509: CVE-2026-41089 PoC — Netlogon CLDAP stack buffer overflow (CVSS 9.8 CRITICAL)

CVE-2026-41089 PoC — Netlogon CLDAP stack buffer overflow (CVSS 9.8 CRITICAL) - Vanquishermacdetach/CVE-2026-41089-509

GitHub
Show threadDr. Christopher Kunz14h ago
@cR0w @wdormann Yeahhh.... so that one looks fishy. It seems to be a fork of the earlier one, but added a setup.py which seems to do slightly weird stuff.
Show threadcR0w14h ago
@christopherkunz @wdormann Nice. So it's only been published for ten minutes and already debunked. LMAO.
Show threadDr. Christopher Kunz14h ago
@cR0w @wdormann How many 🚩 do you need? "Some security systems may block the installation. If the setup does not start, add the folder to the allowed list or pause protection for a few minutes." Yeahhhh right.
Show threadDr. Christopher Kunz14h ago
@cR0w @wdormann How many 🚩 do you need? "Some security systems may block the installation. If the setup does not start, add the folder to the allowed list or pause protection for a few minutes." Yeahhhh right.
Show threadKevin Beaumont14h ago
@cR0w @christopherkunz @wdormann fake, tries running powershell 😂
Show threadWill Dormann14h ago
@cR0w @christopherkunz
I'm going to go out on a limb here...
Show threadcR0w14h ago
@wdormann @christopherkunz Guess I should have actually looked. I came across it while looking for something else and it was published "3 minutes ago" so I figured I'd share. Didn't expect it to be that bad this long after the CVE was published.
Show threadButtered Jorts14h ago
@cR0w @wdormann @christopherkunz maybe I should go write crap POCs, doesn't seem like it's a barrier to success ;)
Show threadWill Dormann14h ago
@cR0w @christopherkunz
Every PoC on GitHub these days needs to be assumed fake until proven otherwise.
Show threadMarius (windsheep)9h ago
@wdormann @cR0w @christopherkunz scape was here
Show threadDr. Christopher Kunz14h ago
@wdormann @cR0w We, as a community, should be more welcoming to new members, especially those who possess the ability to produce a reliable PoC for a high profile, hard to exploit vuln!
Their other repo looks promising, too: rkpzcqwj
/s for good measure