whatisgithub

What is cve-2026-41089?

0xabcd01/cve-2026-41089 — explained in plain English

Analysis updated 2026-05-18

157PythonAudience · researcherComplexity · 3/5LicenseSetup · easy

In one sentence

A Python proof-of-concept that crashes an unpatched Windows domain controller using a single crafted network packet, demonstrating CVE-2026-41089.

Mindmap

mindmap
  root((CVE-2026-41089 PoC))
    What it does
      Sends crafted packet
      Crashes domain controller
      Confirms crash afterward
    Tech stack
      Python 3.8+
      No dependencies
    Use cases
      Verify patch status
      Study the bug
      Build detections
    Audience
      Security researchers
      Windows admins
    Legal
      Authorized testing only
      CFAA warning

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Verify whether a Windows domain controller in a lab environment is patched against CVE-2026-41089 before rolling out the fix organization-wide.

USE CASE 2

Study a real example of a byte-versus-character length confusion bug that causes a stack buffer overflow.

USE CASE 3

Build network detection rules for CLDAP traffic by understanding exactly what the malicious packet looks like.

USE CASE 4

Learn how a proof-of-concept exploit script is structured: connectivity check, trigger, then liveness check.

What is it built with?

Python

How does it compare?

0xabcd01/cve-2026-41089affaan-m/jarvishelpmeeadice/bandori-pet-rev
Stars157158156
LanguagePythonPythonPython
Setup difficultyeasyhardmoderate
Complexity3/55/53/5
Audienceresearcherdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires Python 3.8+ with no extra packages, but should only be run against systems you own or are authorized to test.

MIT license: use, copy, modify, and distribute freely, including commercially, as long as you keep the copyright notice.

So what is it?

This Python project is a proof-of-concept exploit for CVE-2026-41089, a security vulnerability in Windows Server that Microsoft disclosed and patched in May 2026. The vulnerability received a CVSS score of 9.8 out of 10, which is classified as critical. A proof-of-concept, in security research terms, is a minimal working demonstration of a flaw, used to confirm the vulnerability is real and to help defenders understand what they are protecting against. The flaw lives in a Windows component called Netlogon, which domain controllers use to handle authentication on a corporate network. A domain controller is the server that manages user logins and access permissions for a Windows-based organization. The bug allows anyone to crash that server by sending a single specially crafted network packet to port 389, without needing any username or password. The crash causes Windows' security process to restart, which reboots the domain controller and disrupts the entire organization's network access for roughly a minute. The README explains this happens because a function that writes data into a fixed-size memory buffer mistakes a character count for a byte count, causing it to write roughly twice as much data as expected and overflow the buffer. The proof-of-concept script takes a target IP address and domain name, sends a test ping to confirm the server is reachable, then sends the oversized packet, and checks afterward whether the server stopped responding. Running it requires Python 3.8 or later and no additional packages. Every version of Windows Server acting as a domain controller is affected. Fixed versions are listed for Windows Server 2016, 2019, 2022, and 2025. The fix is to install the May 2026 Microsoft security update. The README also recommends blocking outside access to port 389 and mentions a third-party micropatch for older server versions no longer receiving official updates. The README states this code is intended only for authorized security research and education, and that testing it against systems without written permission violates computer crime laws. It is released under the MIT license.

Copy-paste prompts

Prompt 1
Explain in simple terms how CVE-2026-41089 lets an attacker crash a Windows domain controller without a username or password.
Prompt 2
What is the difference between a byte count and a character count, and how did mixing them up cause this buffer overflow?
Prompt 3
Write a detection rule for network traffic that matches the oversized CLDAP username pattern described in this PoC.
Prompt 4
What steps should a Windows admin take today to protect domain controllers from CVE-2026-41089 if they cannot patch immediately?
Prompt 5
Summarize the legal considerations of running a security proof-of-concept like this one against a test network.

Frequently asked questions

What is cve-2026-41089?

A Python proof-of-concept that crashes an unpatched Windows domain controller using a single crafted network packet, demonstrating CVE-2026-41089.

What language is cve-2026-41089 written in?

Mainly Python. The stack also includes Python.

What license does cve-2026-41089 use?

MIT license: use, copy, modify, and distribute freely, including commercially, as long as you keep the copyright notice.

How hard is cve-2026-41089 to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is cve-2026-41089 for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.