1. Overview
CVE-2026-26128 is a Kerberos authentication reflection bypass discovered by Synacktiv that completely bypasses the patch introduced for CVE-2025-33073. It allows an attacker to obtain SYSTEM-level access on most Windows builds.
| CVE | CVE-2026-26128 |
| Discovered by | Synacktiv |
| Patched | March 2026 Patch Tuesday |
| Related | CVE-2025-33073, CVE-2025-58726, CVE-2026-24294 |
| Impact | Local Privilege Escalation → SYSTEM |
| Affected | All Windows versions except Windows 11 24H2 (default config) |
2. Background
The broader context of this vulnerability sits within a chain of authentication reflection research:
- CVE-2025-33073 — NTLM reflection bypass patched in April 2025. Enforced stricter EPA checks and introduced
RestrictReceivingNTLMTrafficregistry setting. - CVE-2025-58726 — Ghost SPN Kerberos reflection, patched October 2025.
- CVE-2026-26128 — Kerberos loopback via Unicode SPN. A complete bypass of the CVE-2025-33073 patch, patched March 2026.
The core issue: authentication relay and reflection attacks persist as long as integrity mechanisms are not enforced by default on Windows services. Each patch addressed a specific technique, but the underlying attack surface remained.
3. How It Works (Conceptual)
CVE-2026-26128 abuses a Kerberos authentication coercion primitive using Unicode SPN manipulation:
- An attacker with local network access coerces a service into initiating Kerberos authentication.
- A crafted Unicode SPN causes the authentication to loop back to the attacker’s listener.
- Kerberos issues a token based on the SYSTEM account’s privileges.
- The attacker captures and reuses the SYSTEM-level token — achieving local privilege escalation.
Windows 11 24H2 is not affected by default because SMB signing is enforced out of the box, breaking the reflection path. All other Windows versions in default configurations are vulnerable unless patched.
4. Detection
4.1 Verify patch status on all domain-joined machines
Check that the March 2026 Patch Tuesday update is installed:
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date "2026-03-01") } |
Select-Object HotFixID, Description, InstalledOn |
Sort-Object InstalledOn -Descending
For remote checks across multiple machines:
$computers = (Get-ADComputer -Filter *).Name
foreach ($pc in $computers) {
$patch = Invoke-Command -ComputerName $pc -ScriptBlock {
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date "2026-03-01") }
} -ErrorAction SilentlyContinue
[PSCustomObject]@{
Computer = $pc
Patched = if ($patch) { "Yes" } else { "REVIEW REQUIRED" }
}
}
4.2 Verify SMB Signing status
SMB signing being enforced prevents the reflection path regardless of patch status:
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
RequireSecuritySignature : True→ protected.RequireSecuritySignature : False→ vulnerable to SMB-based reflection if unpatched.
4.3 Event Log — suspicious Kerberos activity
Get-WinEvent -LogName Security -ComputerName <DCName> |
Where-Object { $_.Id -in @(4769, 4770, 4624) } |
Select-Object TimeCreated, Id, Message -First 50
- Event ID 4769 — Kerberos service ticket requested. Look for unusual SPNs or service accounts.
- Event ID 4624 (Logon Type 3) — Network logon. Unexpected SYSTEM-level network logons are a red flag.
5. Mitigation
Priority 1 — Apply the March 2026 Patch Tuesday update immediately. This is the primary fix.
Priority 2 — Enforce SMB Signing on all machines.
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force
Via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Microsoft network server: Digitally sign communications (always) → Enabled
- Microsoft network client: Digitally sign communications (always) → Enabled
Priority 3 — Disable NTLM where possible and enforce Kerberos.
Priority 4 — Restrict DNS record creation by standard users. Default AD settings allow standard users to register DNS records, which enables Ghost SPN attacks (CVE-2025-58726). Review and restrict this permission.
Priority 5 — Monitor for future patches in this chain. Synacktiv notes that other services remain vulnerable to authentication reflection even after this patch. Apply Patch Tuesday updates consistently and monitor for new CVEs in this family.
6. References
- Synacktiv — Bypassing Windows authentication reflection mitigations for SYSTEM shells
- CVE-2026-26128 — Microsoft Security Response Center
- CVE-2025-33073 — NTLM Reflection Bypass (April 2025)
- CVE-2025-58726 — Ghost SPN Kerberos Reflection (October 2025)
- Semperis — Exploiting Ghost SPNs and Kerberos Reflection