1. Overview

CVE-2026-26128 is a Kerberos authentication reflection bypass discovered by Synacktiv that completely bypasses the patch introduced for CVE-2025-33073. It allows an attacker to obtain SYSTEM-level access on most Windows builds.

CVECVE-2026-26128
Discovered bySynacktiv
PatchedMarch 2026 Patch Tuesday
RelatedCVE-2025-33073, CVE-2025-58726, CVE-2026-24294
ImpactLocal Privilege Escalation → SYSTEM
AffectedAll Windows versions except Windows 11 24H2 (default config)

2. Background

The broader context of this vulnerability sits within a chain of authentication reflection research:

  • CVE-2025-33073 — NTLM reflection bypass patched in April 2025. Enforced stricter EPA checks and introduced RestrictReceivingNTLMTraffic registry setting.
  • CVE-2025-58726 — Ghost SPN Kerberos reflection, patched October 2025.
  • CVE-2026-26128 — Kerberos loopback via Unicode SPN. A complete bypass of the CVE-2025-33073 patch, patched March 2026.

The core issue: authentication relay and reflection attacks persist as long as integrity mechanisms are not enforced by default on Windows services. Each patch addressed a specific technique, but the underlying attack surface remained.


3. How It Works (Conceptual)

CVE-2026-26128 abuses a Kerberos authentication coercion primitive using Unicode SPN manipulation:

  1. An attacker with local network access coerces a service into initiating Kerberos authentication.
  2. A crafted Unicode SPN causes the authentication to loop back to the attacker’s listener.
  3. Kerberos issues a token based on the SYSTEM account’s privileges.
  4. The attacker captures and reuses the SYSTEM-level token — achieving local privilege escalation.

Windows 11 24H2 is not affected by default because SMB signing is enforced out of the box, breaking the reflection path. All other Windows versions in default configurations are vulnerable unless patched.


4. Detection

4.1 Verify patch status on all domain-joined machines

Check that the March 2026 Patch Tuesday update is installed:

Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date "2026-03-01") } |
    Select-Object HotFixID, Description, InstalledOn |
    Sort-Object InstalledOn -Descending

For remote checks across multiple machines:

$computers = (Get-ADComputer -Filter *).Name

foreach ($pc in $computers) {
    $patch = Invoke-Command -ComputerName $pc -ScriptBlock {
        Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date "2026-03-01") }
    } -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        Computer = $pc
        Patched  = if ($patch) { "Yes" } else { "REVIEW REQUIRED" }
    }
}

4.2 Verify SMB Signing status

SMB signing being enforced prevents the reflection path regardless of patch status:

Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
  • RequireSecuritySignature : True → protected.
  • RequireSecuritySignature : False → vulnerable to SMB-based reflection if unpatched.

4.3 Event Log — suspicious Kerberos activity

Get-WinEvent -LogName Security -ComputerName <DCName> |
    Where-Object { $_.Id -in @(4769, 4770, 4624) } |
    Select-Object TimeCreated, Id, Message -First 50
  • Event ID 4769 — Kerberos service ticket requested. Look for unusual SPNs or service accounts.
  • Event ID 4624 (Logon Type 3) — Network logon. Unexpected SYSTEM-level network logons are a red flag.

5. Mitigation

Priority 1 — Apply the March 2026 Patch Tuesday update immediately. This is the primary fix.

Priority 2 — Enforce SMB Signing on all machines.

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  • Microsoft network server: Digitally sign communications (always)Enabled
  • Microsoft network client: Digitally sign communications (always)Enabled

Priority 3 — Disable NTLM where possible and enforce Kerberos.

Priority 4 — Restrict DNS record creation by standard users. Default AD settings allow standard users to register DNS records, which enables Ghost SPN attacks (CVE-2025-58726). Review and restrict this permission.

Priority 5 — Monitor for future patches in this chain. Synacktiv notes that other services remain vulnerable to authentication reflection even after this patch. Apply Patch Tuesday updates consistently and monitor for new CVEs in this family.


6. References