- CVE: CVE-2026-26128
- CVSS: 7.8 (High · CVSSv3)
- Product: Microsoft Windows 10 Version 1607
- Affected: 10.0.14393.0, 10.0.17763.0, 10.0.19044.0, 10.0.19045.0, 10.0.22631.0, 10.0.26100.0 (+6 more)
- Impact: Windows SMB Server Elevation of Privilege Vulnerability
- Status: No confirmed exploitation yet
- Patched in: 10.0.14393.8957, 10.0.17763.8511, 10.0.19044.7058, 10.0.19045.7058 (+9 more)
- EPSS: 0.4% (30-day)
- Action: Update to 10.0.14393.8957, 10.0.17763.8511, 10.0.19044.7058, 10.0.19045.7058 (+9 more) now
TL;DR
Synacktiv publicly disclosed a Kerberos reflection bypass tracked as CVE-2026-26128. The flaw lets a domain user gain SYSTEM on a target Windows machine. Proof-of-concept exploit code is public, and Microsoft patched the bug in March 2026.
Why It Matters
Kerberos reflection relays a machine’s own authentication back to itself. A successful relay yields a SYSTEM session on the target. This Kerberos reflection chain works by default on most Windows versions. Only Windows 11 24H2 resists it, because it enforces SMB signing. Because the proof-of-concept is public, the risk to Active Directory networks is real. A standard domain user is enough to run the attack. The research also shows that two earlier Microsoft patches missed the root cause. Authentication reflection has haunted Windows for nearly two decades, and this work proves it keeps returning.
How the Attack Works
Synacktiv built a new Kerberos coercion primitive. It abuses differences in how Windows components handle Unicode characters. The domain controller normalizes a service name one way when it looks up an SPN. The DNS client compares names another way. As a result, a crafted record can map to a real machine SPN while still triggering a DNS lookup. The attacker then receives the machine’s Kerberos ticket on a controlled server. That ticket stays valid for the target’s SMB service. A coercion trigger, such as a printer or EFSRPC call, forces the machine to authenticate.
At first, this gave authenticated RCE and broke the CVE-2025-33073 fix. Synacktiv reported it to Microsoft in October 2025. The October Patch Tuesday then shipped CVE-2025-58726, which blocked the relay for SMB. That patch only checked that local authentication came from a local IP address. However, Synacktiv bypassed it too. The CVE-2026-26128 variant forwards the ticket through a local forwarder, so the connection looks local. The result is reliable local privilege escalation to SYSTEM. The full chain appears in Synacktiv’s research, and a public proof-of-concept reproduces it.
Affected Versions
The attack works by default on all Windows versions before the March 2026 patch. Windows 11 24H2 is the exception, since it enforces SMB signing. Microsoft tracked the two related bugs as CVE-2025-58726 and CVE-2026-26128. Both received fixes in the same March 2026 update.
Patch and Mitigation
Apply the March 2026 Patch Tuesday update across your fleet. Enforce SMB signing everywhere, since it blocks the relay outright. The same defense also protects systems still waiting to patch. Importantly, the Kerberos reflection trick still hits HTTP services that lack integrity checks. Synacktiv showed working attacks against ADCS web enrollment and the SCCM AdminService. Therefore, enforce channel binding and restrict network access to those services. Disable any HTTP connector you do not need. No in-the-wild exploitation has been confirmed. Still, a public exploit shortens the runway, so patch quickly.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.