CVE-2026-26128

HIGH

Windows SMB Server - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-26128. PoCs published by adminlove520, XZ1r0, jarnovandenbrink.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-26128, which leverages Unicode normalization in Windows Active Directory to bypass Kerberos reflection mitigations. The exploit uses DNS manipulation and relay techniques to target ADCS web enrollment or MSSQL services.

Description

Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.

Exploits (3)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-26128

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-26128, which leverages Unicode normalization in Windows Active Directory to bypass Kerberos reflection mitigations. The exploit uses DNS manipulation and relay techniques to target ADCS web enrollment or MSSQL services.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Windows Active Directory (Kerberos/ADCS/MSSQL)

Auth required

Prerequisites: Valid domain credentials · DNS write access · Target service (ADCS/MSSQL)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 26, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-26128

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-26128, which appears to be a Kerberos-related vulnerability. The code includes modules for Kerberos authentication, DNS manipulation, and SMB relay attacks, suggesting it exploits a flaw in Active Directory or similar environments.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Complex

Reliability

Reliable

Target: Active Directory / Kerberos

No auth needed

Prerequisites: Network access to target domain controller · Valid Kerberos ticket or credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec FAILED

by jarnovandenbrink · poc

https://github.com/jarnovandenbrink/CVE-2026-26128

View Code ZIP pw:eip

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26128

Various Sources

https://www.vicarius.io/vsociety/posts/cve-2026-26128-detection-script-improper-authentication-in-windows-smb-server

Various Sources

https://www.vicarius.io/vsociety/posts/cve-2026-26128-mitigation-script-improper-authentication-in-windows-smb-server

Scores

CVSS v3 7.8

EPSS 0.0045

EPSS Percentile 35.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (37)

Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.8957

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8511

Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7058

Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7058

Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6783

Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6783

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8037

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8037

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1719

Microsoft/Windows 11 Version 26H1 10.0.28000.0 - 10.0.28000.1719

... and 27 more

Published Mar 10, 2026

Tracked Since Mar 11, 2026