██████╗██╗ ██╗███████╗ ██╗ ██╗ ██╗ ██████╗ ██████╗
██╔════╝██║ ██║██╔════╝ ██║ ██║███║██╔═████╗██╔═████╗
██║ ██║ ██║█████╗ ███████║╚██║██║██╔██║██║██╔██║
██║ ╚██╗ ██╔╝██╔══╝ ██╔══██║ ██║████╔╝██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗ ██║ ██║ ██║╚██████╔╝╚██████╔╝
╚═════╝ ╚═══╝ ╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝
Windows Netlogon Remote Code Execution via CLDAP Stack Buffer Overflow
One crafted UDP packet to port 389 overflows a 528-byte stack buffer inside LSASS on any unpatched Windows Domain Controller. LSASS crashes. The DC reboots in about 60 seconds. No creds needed.
| Attack Vector | UDP 389 (CLDAP), pre-auth, zero credentials |
| Impact | LSASS crash, DC reboot, potential RCE |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Published | May 12, 2026 by Microsoft |
Quick Start
python3 poc.py 10.0.50.21 corp.local
The PoC sends a normal ping, then an overflow ping with a 130-char username, then checks if the DC survived. About 10 seconds total.
Affected Systems
Windows Server versions acting as Domain Controllers:
| Server Version | Fixed In |
|---|---|
| 2012 / 2012 R2 | ESU-only patches |
| 2016 | 10.0.14393.9140 |
| 2019 | 10.0.17763.8755 |
| 2022 | 10.0.20348.5074 |
| 2022 23H2 | 10.0.25398.2330 |
| 2025 | 10.0.26100.32772 |
Root Cause
NlGetLocalPingResponse allocates a 528-byte stack buffer and hands
it to BuildSamLogonResponse. That function calls
NetpLogonPutUnicodeString to write server name, domain name, GUIDs,
and the attacker-controlled username into the buffer.
The bug: NetpLogonPutUnicodeString gets a max length in bytes but
reads it as a WCHAR count. Every string written through this path takes
up twice the expected space. The "User" field in the CLDAP filter (up
to 130 wchars, 260 bytes on the wire) pushes the combined write past
the 528-byte boundary.
I_NetLogonLdapLookupEx
-> NlGetLocalPingResponse // 528-byte stack buffer
-> LogonRequestHandler
-> BuildSamLogonResponse
-> NetpLogonPutUnicodeString // byte/WCHAR size confusion
Usage
python3 poc.py <target_ip> <domain_name> [options]
| Flag | Description | Default |
|---|---|---|
-l |
Username length in characters | 130 |
-t |
UDP recv timeout (seconds) | 5 |
-d |
Delay between overflow and liveness check (seconds) | 3 |
# Connectivity test (short username, no overflow)
python3 poc.py 10.0.50.21 corp.local
# Default overflow attempt
python3 poc.py 10.0.50.21 corp.local -l 130
# Larger payload, longer timeout for slow networks
python3 poc.py 10.0.50.21 corp.local -l 200 -t 10
Python 3.8+. No third-party packages.
How It Works
- Phase 1. Send a normal CLDAP ping with username "testuser" to confirm the DC responds on UDP 389.
- Phase 2. Send the same packet but with a 130+ char username of "A"s. The long username overflows the 528-byte stack buffer. If LSASS crashes, the recv call times out.
- Phase 3. Wait the configured delay. Send a normal ping. No response means LSASS went down.
The overflow causes a DoS (LSASS crash, DC reboot). Stack corruption could enable RCE, but this PoC stays at DoS.
Detection
Network. Look for CLDAP search requests with a "User" filter attribute longer than 20-30 characters. Normal DC locator pings use short service account names.
Host. Watch for LSASS crashes tied to netlogon.dll (Event ID 1000). Turn on Netlogon debug logging:
nltest /dbflag:0x2080ffff
Mitigation
- Install the May 2026 Microsoft security update
- Restrict UDP 389 inbound to trusted management subnets
- Legacy Server versions out of ESU: 0patch ships micropatches
(one-instruction fix:
mov edx, 0x40halves the max username length)
References
- Microsoft Security Update Guide
- NVD - CVE-2026-41089
- 0patch Analysis and Micropatch
- Aretiq AI Reverse Engineering
- RFC 4511 - LDAP
- MS-ADTS - CLDAP DC Locator
Legal. This code exists for authorized security research and education. Test only against systems you own or have written permission to test. Unauthorized access to computer systems violates the CFAA and equivalent laws in most jurisdictions.
Comments