CVE-2026-41089: Public PoC, Active Exploit Analysis, and Windows Netlogon Risk
CVE-2026-41089: Public PoC, Active Exploit Analysis, and Windows Netlogon Risk
A working PoC for CVE-2026-41089 appeared on GitHub within 24 hours of Microsoft's May 12 disclosure. Active exploitation in the wild was confirmed 20 days later. This part covers how the public exploit operates, what in-the-wild activity looks like, and the compounding risk this vulnerability creates across Windows Netlogon and Active Directory environments.
From Patch Tuesday to Public PoC: A 24-Hour Window
Microsoft disclosed CVE-2026-41089 on May 12, 2026, as part of the May Patch Tuesday release covering 118 vulnerabilities. The initial advisory rated exploitation as "less likely." That assessment did not hold.
Microsoft releases patch. Aretiq AI performs patch-diff analysis and publishes a detailed write-up within hours of Patch Tuesday release.
Public PoC appears on GitHub (0xABCD01/CVE-2026-41089). Python 3.8+, no third-party dependencies, MIT license. Independently, Aretiq AI releases their own enterprise-verified PoC using pyasn1. The 0patch blog publishes micropatch analysis with root cause commentary.
Centre for Cybersecurity Belgium (CCB) publicly confirms active exploitation in the wild, singling out CVE-2026-41089 from the May PT advisory for an active exploitation warning. No specific actor or campaign details disclosed at time of writing.
Exploitation confirmed ongoing. Microsoft's original "less likely" assessment is now formally obsolete. No public attribution to specific threat actors as of this writing.
Public PoC: What It Does
Two independent PoC implementations are publicly available. Neither requires special tooling, credentials, or a
pre-established foothold. Both target the same root condition: an oversized Username attribute in a
crafted CLDAP search request that overflows a 528-byte stack buffer in netlogon.dll.
Prerequisites for a Reliable Crash
| Condition | Required? | Notes |
|---|---|---|
| Target is an Active Directory Domain Controller | Yes | CLDAP response handler only active in DC role |
| UDP port 389 reachable from attacker | Yes | No TCP handshake required - any network path to UDP 389 works |
| Target is unpatched (pre-May 2026 Patch Tuesday) | Yes | Patched builds do not expose the vulnerable code path |
| DNS domain name ≥ ~50 characters | Conditional | Required for reliable crash; short names may not reach overflow threshold |
| Authentication / credentials | None | Fully pre-authentication |
| User interaction on target | None | Passive exploitation - DC processes the packet automatically |
How the PoC Operates - Step by Step
The attack proceeds in four logical stages. The PoC automates all of them in a single command.
| Stage | What Happens | Purpose |
|---|---|---|
| 1. Liveness probe | Sends a well-formed CLDAP ping with a normal-length username to UDP 389 on the target DC | Confirms the DC is alive and responding; establishes a baseline before the attack |
| 2. Overflow packet | Sends a crafted CLDAP SearchRequest targeting rootDSE with NtVer=0x02000000 and a
130-character username field. The long username forces code execution through the non-EX response path
(BuildSamLogonResponse) rather than the safe BuildSamLogonResponseEx path |
The combined response data - DC information plus domain name plus username field - exceeds 528 bytes, overflowing the stack buffer and tripping the GS cookie check |
| 3. Crash confirmation | Waits a configurable delay (~3 seconds), then sends another liveness ping | If no response is received, LSASS has crashed. The DC will reboot within ~60 seconds |
| 4. Verification (optional) | Checks the target's Application Event Log for Event ID 1000: faulting application
lsass.exe, faulting module netlogon.DLL, exception code
0xc0000409
|
Confirms crash was caused by the overflow, not an unrelated LSASS event |
The Forcing Function: BuildSamLogonResponse vs. BuildSamLogonResponseEx
The critical design detail in the exploit is the NtVer field manipulation. The CLDAP DC locator has two
response-building code paths:
BuildSamLogonResponseEx- the modern path, used for current NtVer values. Bounds-aware.BuildSamLogonResponse- the legacy path, triggered by specific older NtVer values. Uses the vulnerable 528-byte fixed stack buffer without length validation.
The PoC sets NtVer=0x02000000 precisely to force the legacy path. This is not a brute-force overflow -
it's a targeted trigger of a specific, known-vulnerable code branch that only activates when the attacker controls
the version field of the incoming CLDAP request.
PoC Availability Comparison
| Source | Availability | Dependencies | Verified |
|---|---|---|---|
| GitHub - 0xABCD01/CVE-2026-41089 | Public, MIT license | Python 3.8+, stdlib only | Community (17 stars, 8 forks as of research date) |
| Aretiq AI research portal | Enterprise-verified download | Python 3.8+, pyasn1 | Enterprise-grade, includes detailed root cause write-up |
| 0patch blog | Public analysis, no full exploit | N/A | Root cause and micropatch commentary |
Active Exploitation in the Wild
Confirmed Activity
The Centre for Cybersecurity Belgium (CCB) confirmed active exploitation on June 1, 2026, 20 days after the patch dropped. The CCB warning cited CVE-2026-41089 specifically out of the 118 vulnerabilities in the May 2026 Patch Tuesday release. As of this writing, the CCB has not publicly disclosed specific attack details, campaign names, IOC sets, or victim sectors from the active exploitation.
Likely Threat Actor Profiles
No specific APT groups or ransomware operators have been publicly attributed as of June 2, 2026. Based on the vulnerability's characteristics - unauthenticated, pre-auth, DC-targeted, fast PoC availability - the exploitation profile is consistent with three operator categories:
| Actor Type | Likely Use Case | Why This Vulnerability Fits |
|---|---|---|
| Initial Access Brokers (IABs) | Selling DC access or persistent disruption capability to downstream operators | Pre-auth, no credentials needed; fast path to high-value AD environments for resale |
| Ransomware operators | Fast domain takeover: disrupt DC, exploit the window, deploy ransomware via GPO | Consistent with "inside-the-perimeter fast path to forest-wide takeover" framing; GPO deployment is ransomware operators' preferred mass-deployment mechanism |
| Nation-state / espionage actors | Persistent access to government and critical infrastructure AD environments | CLDAP disruption creates noise that masks simultaneous credential theft; DC access provides long-term persistent foothold |
Why DoS-as-Entry-Point Is Underestimated
The reliable exploit outcome today is a crash, not code execution. That framing undersells the operational value to attackers. A repeatable, unauthenticated domain controller kill switch is useful in at least three distinct attack contexts beyond pure disruption:
- Cover fire: A DC reboot creates a 60-second authentication blackout. Parallel attacks - lateral movement, credential stuffing, token replay - blend into the noise of "the domain is having issues."
- Persistence testing: Repeatedly crashing a DC forces it through a reboot cycle. If the organization has not patched consistently across all DCs, each reboot cycle is another exploitation opportunity against whichever DC comes online next.
- Negotiation leverage: Ransomware operators have used demonstrated disruption capability as leverage in extortion scenarios, separate from actual data exfiltration.
Netlogon Attack Surface: Broader Risk Context
CVE-2026-41089 does not exist in isolation. It is the latest in a series of critical vulnerabilities targeting Windows Netlogon - the same service, the same trust position in Active Directory, exploited through different mechanisms.
| CVE | Year | Root Cause | Impact | Auth Required |
|---|---|---|---|---|
| CVE-2020-1472 (Zerologon) | 2020 | Cryptographic flaw - AES-CFB8 IV all-zeros | Domain admin privilege escalation | None |
| CVE-2022-38023 | 2022 | Netlogon secure channel integrity bypass | NTLM relay, MitM on Netlogon channel | None (network position) |
| CVE-2023-28268 | 2023 | Netlogon RPC authentication bypass | Privilege escalation to domain admin | None |
| CVE-2026-41089 | 2026 | Stack buffer overflow - CLDAP response handler | DoS (reliable); RCE (theoretical) | None |
The pattern is consistent: Netlogon is attacked repeatedly because it is unauthenticated-accessible by design (DC locator must work before any authentication exists), and any flaw in it directly affects the highest-privilege component in the environment.
Chaining Potential
CVE-2026-41089 becomes significantly more dangerous as a component of a multi-stage attack chain rather than in isolation. The DoS capability provides operational value as a delivery mechanism for other exploits:
| Stage | CVE-2026-41089 Role | Follow-On Attack |
|---|---|---|
| Disruption + cover | Crash primary DC to trigger failover to secondary | Target secondary DC if it's unpatched or less monitored |
| Disruption + recon | Crash DC and observe which backup authentication systems activate | Identify weaker fallback mechanisms (NTLM, legacy Kerberos configs) during failover |
| RCE (if achieved) + escalation | SYSTEM-level code execution in LSASS context | DCSync → krbtgt hash → Golden Ticket; GPO deployment across all domain-joined machines |
| RCE + persistence | LSASS access | Implant a credential-harvesting module or backdoor into the DC that survives reboots via service installation |
Risk Scoring Summary
| Dimension | Assessment |
|---|---|
| Exploitability (DoS) | Critical - public PoC, no auth, single packet, confirmed in the wild |
| Exploitability (RCE) | Medium - theoretically possible; GS cookie is a practical barrier today |
| Attack complexity | Low - Python script, stdlib only, runs from any host with UDP 389 access |
| Privilege required | None - pre-authentication, no domain account needed |
| Blast radius (DoS) | Entire domain - all authentication dependent on that DC fails for ~60s |
| Blast radius (RCE) | Entire AD forest - krbtgt, GPO, all Tier 0 assets |
| Detectability (pre-patch) | Moderate - crash is logged; the trigger packet is hard to distinguish from benign CLDAP traffic without payload inspection |
| Patch availability | Available - May 12, 2026 Patch Tuesday for all supported versions |
Part 3 covers the patch details, IOCs, detection logic, and mitigation guidance for CVE-2026-41089.