██████╗██╗ ██╗███████╗ ██╗ ██╗ ██╗ ██████╗ ██████╗
██╔════╝██║ ██║██╔════╝ ██║ ██║███║██╔═████╗██╔═████╗
██║ ██║ ██║█████╗ ███████║╚██║██║██╔██║██║██╔██║
██║ ╚██╗ ██╔╝██╔══╝ ██╔══██║ ██║████╔╝██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗ ██║ ██║ ██║╚██████╔╝╚██████╔╝
╚═════╝ ╚═══╝ ╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝
Windows Netlogon Remote Code Execution via CLDAP Stack Buffer Overflow
One crafted UDP packet to port 389 overflows a 528-byte stack buffer inside LSASS on any unpatched Windows Domain Controller. The process crashes. The DC reboots in ~60 seconds. No authentication required.
| Attack Vector | UDP 389 (CLDAP), pre-auth, zero credentials |
| Impact | LSASS crash, DC reboot, potential RCE |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Published | May 12, 2026 by Microsoft |
python3 poc.py 10.0.50.21 corp.local
Three phases: normal ping to confirm the DC is alive, overflow ping with a 130-character username, liveness check. Takes ~10 seconds.
Every Windows Server version running as a Domain Controller:
| Server Version | Fixed In |
|---|---|
| 2012 / 2012 R2 | ESU-only patches |
| 2016 | 10.0.14393.9140 |
| 2019 | 10.0.17763.8755 |
| 2022 | 10.0.20348.5074 |
| 2022 23H2 | 10.0.25398.2330 |
| 2025 | 10.0.26100.32772 |
NlGetLocalPingResponse allocates a 528-byte stack buffer and hands it
to BuildSamLogonResponse. That function calls NetpLogonPutUnicodeString
to write server name, domain name, GUIDs, and the attacker-controlled
username into the buffer.
The bug: NetpLogonPutUnicodeString receives a maximum length in bytes
but treats it as a WCHAR count. Every string written through this path
occupies twice the expected space. The "User" field in the CLDAP filter
(up to 130 wchars, 260 bytes on the wire) pushes the combined write
past the 528-byte boundary.
I_NetLogonLdapLookupEx
-> NlGetLocalPingResponse // 528-byte stack buffer
-> LogonRequestHandler
-> BuildSamLogonResponse
-> NetpLogonPutUnicodeString // byte/WCHAR size confusion
python3 poc.py <target_ip> <domain_name> [options]
| Flag | Description | Default |
|---|---|---|
-l |
Username length in characters | 130 |
-t |
UDP recv timeout (seconds) | 5 |
-d |
Delay between overflow and liveness check (seconds) | 3 |
# Connectivity test (short username, no overflow)
python3 poc.py 10.0.50.21 corp.local
# Default overflow attempt
python3 poc.py 10.0.50.21 corp.local -l 130
# Larger payload, longer timeout for slow networks
python3 poc.py 10.0.50.21 corp.local -l 200 -t 10Requires Python 3.8+. No third-party packages.
- Phase 1. A normal CLDAP ping with username "testuser" confirms the target responds on UDP 389.
- Phase 2. The same packet structure, but the username is 130+ characters of "A". This pushes the serialized data past the stack buffer boundary. If LSASS crashes, the recv times out.
- Phase 3. After a configurable delay, a second normal ping checks whether the DC is still alive. No response = LSASS crash confirmed.
The overflow triggers a denial of service (LSASS crash, DC reboot). RCE through stack corruption is possible in theory. This PoC does not attempt code execution.
Network. Scan CLDAP traffic for search requests where the "User" filter attribute exceeds 20-30 characters. Normal DC locator pings use service account names (short strings).
Host. Watch for LSASS crashes tied to netlogon.dll (Event ID 1000). Enable Netlogon debug logging:
nltest /dbflag:0x2080ffff
- Install the May 2026 Microsoft security update
- Restrict UDP 389 inbound to trusted management subnets
- For legacy Server versions out of ESU: 0patch ships micropatches
(single instruction fix:
mov edx, 0x40to halve the max username length)
- Microsoft Security Update Guide
- NVD - CVE-2026-41089
- 0patch Analysis and Micropatch
- Aretiq AI Reverse Engineering
- RFC 4511 - LDAP
- MS-ADTS - CLDAP DC Locator
Legal. This code exists for authorized security research and education. Test only against systems you own or have written permission to test. Unauthorized access to computer systems violates the CFAA and equivalent laws in most jurisdictions.
