[{"content":"Section 1: Overview A stack-based buffer overflow vulnerability exists in the Windows Netlogon service\u0026rsquo;s DC locator ping response handler. When a domain controller processes a CLDAP search request, it serializes response data including attacker-supplied and server-side strings into a fixed-size stack buffer without adequate bounds checking. An unauthenticated remote attacker can send a single crafted CLDAP packet to a domain controller\u0026rsquo;s UDP port 389, causing the Netlogon service to crash the LSASS process and force the domain controller to reboot. The exploitability depends on the target domain controller\u0026rsquo;s DNS naming configuration — domain controllers with longer DNS domain names and hostnames are vulnerable. Microsoft addressed this vulnerability in the May 2026 security update.\nSection 2: Vulnerability Type Field Value Primary CWE CWE-121: Stack-based Buffer Overflow Related CWE CWE-120: Buffer Copy without Checking Size of Input Section 3: Severity Microsoft Advisory Score (CVSS 3.1) Field Value Score 9.8 (Critical) Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Our Assessment (CVSS 4.0) Metric Group Metric Value Base - Exploitability Attack Vector (AV) Network Attack Complexity (AC) Low Attack Requirements (AT) Present Privileges Required (PR) None User Interaction (UI) None Base - Vulnerable System Confidentiality (VC) None Integrity (VI) None Availability (VA) High Base - Subsequent System Confidentiality (SC) None Integrity (SI) None Availability (SA) High Threat Exploit Maturity (E) Proof-of-Concept Field Value CVSS 4.0 Score 8.8 (High) CVSS 4.0 Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P AT is Present because the target domain controller must have a sufficiently long DNS domain name (approximately 50+ characters) for the combined response data to exceed the 528-byte buffer. Domain controllers with short domain names (e.g., \u0026ldquo;example.com\u0026rdquo;) are not vulnerable. VC and VI are None because the overflow bytes are server-controlled DNS name data rather than attacker-controlled content, and a GS stack cookie prevents return address hijacking. SA is High because crashing LSASS on a domain controller denies all Kerberos and NTLM authentication for the domain.\nSection 4: Affected Products Affected Products Product CPE 2.3 Windows Server 2025 (Server Core) cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:* Windows Server 2022 (Server Core) cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* Windows Server 2019 (Server Core) cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* Windows Server 2016 (Server Core) cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* Windows 11 Version 24H2 (x64/ARM64) cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:* Windows 11 Version 23H2 (x64/ARM64) cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:* Windows 10 Version 22H2 (x86/x64/ARM64) cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* Windows 10 Version 21H2 (x86/x64/ARM64) cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* Windows 10 Version 1809 (x86/x64) cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:* Windows 10 Version 1607 (x86/x64) cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:* Note: While all Windows editions include netlogon.dll, the vulnerability is only exploitable on systems configured as Active Directory domain controllers, as the DC locator response handler is only active in that role.\nTested Environment (Vulnerable) Field Value Product Windows Server 2025 Build 26100.32690 Binary netlogon.dll File Version 10.0.26100.32684 Size 1,044,480 bytes SHA256 C1F5FA84AE46E1A39592284EBB354BD055743D72AB417C1B90A7D99383289594 Installed KBs KB5082062 (April 2026) Tested Environment (Fixed) Field Value Patch KB KB5089549 (May 2026) Build 26100.32860 Binary netlogon.dll File Version 10.0.26100.32684 Size 1,044,480 bytes SHA256 A59733767285859FC3F982C46EA9C1173F4BF025D1569C03B4D137B55132B2DB Feature Flag Feature_404993339 Section 5: Root Cause Analysis 5a. Detailed Description The vulnerability exists in NetpLogonPutUnicodeString, a helper function in netlogon.dll that copies a null-terminated Unicode string into an output buffer. The function accepts a source string pointer, a maximum character count, and a pointer to an advancing cursor into the output buffer, but has no parameter for the output buffer\u0026rsquo;s total size:\n// NetpLogonPutUnicodeString (vulnerable version, RVA 0x8902C) _WORD *NetpLogonPutUnicodeString(__int64 source, __int64 max_chars, unsigned __int64 *cursor) { // Align cursor to 2-byte boundary NetpULongPtrRoundUp(*cursor, 2, \u0026amp;aligned); dest = aligned; // Character-by-character copy — no output bounds check wchar = *source; if (wchar) { do { if (!max_chars--) break; *dest = wchar; // WRITE with no buffer size check dest += 2; wchar = *(dest + src_offset); } while (wchar); } *dest = 0; // null terminator *cursor = dest + 2; // advance cursor } This function is called three consecutive times by BuildSamLogonResponse (RVA 0x6AF4C) to serialize a DC locator SAM Logon Response into a fixed-size output buffer:\n// BuildSamLogonResponse+0x62 through +0x96 *(_WORD *)buffer = opcode; // 2 bytes cursor = buffer + 2; NetpLogonPutUnicodeString(domain_info + 216, 36, \u0026amp;cursor); // server name NetpLogonPutUnicodeString(username, 130, \u0026amp;cursor); // ATTACKER-CONTROLLED NetpLogonPutUnicodeString(domain_info + 72, 32, \u0026amp;cursor); // domain name The hardcoded second argument (36, 130, 32) limits the number of wide characters copied per call. After these three string copies, the function writes two 16-byte GUIDs and three DNS-compressed domain names (forest, domain, hostname) via NlpUtf8ToCutf8. The total data written depends on the lengths of both attacker-supplied and server-configured values.\nThe output buffer originates from NlGetLocalPingResponse (RVA 0x10A50), which declares a 528-byte stack array:\nchar Src[528]; // [rsp+0xE0h] This buffer is passed through LogonRequestHandler to BuildSamLogonResponse. The data breakdown:\nComponent Source Max bytes Controlled by Opcode constant 2 N/A Server name DC config 74 (36 wchars + null + align) Server Username CLDAP filter 262 (130 wchars + null + align) Attacker Domain name DC config 66 (32 wchars + null + align) Server Domain GUID AD 16 Server Zero GUID constant 16 Server DNS forest name AD config variable Server DNS domain name AD config variable (compressed) Server DNS hostname AD config variable (compressed) Server IP + flags + terminator runtime 16 Server The attacker controls the username (up to 130 wide characters = 260 bytes), which is the largest single component. The remaining ~266+ bytes come from server-configured data. When the server\u0026rsquo;s DNS domain name is long (e.g., \u0026ldquo;dept.division.engineering.enterprise.corporation.local\u0026rdquo;), the combined DNS names push the total past 528 bytes.\nCritically, the bytes that overflow past the buffer boundary are the server\u0026rsquo;s own DNS names, not attacker-controlled data. The attacker\u0026rsquo;s username fills the middle of the buffer and pushes the server\u0026rsquo;s DNS data past the end. This means the attacker controls the overflow length (by choosing a username length up to 130 wchars) but not the overflow content.\nThe attack entry point is CLDAP (Connectionless LDAP, UDP port 389). An attacker sends a SearchRequest with filter (\u0026amp;(DnsDomain=\u0026lt;target\u0026gt;)(User=\u0026lt;130 chars\u0026gt;)(NtVer=\\x02\\x00\\x00\\x00)). The NtVer value must have bits 2-3 clear (e.g., value 2) to force the non-EX response path through BuildSamLogonResponse rather than BuildSamLogonResponseEx. The full call chain:\nntdsai!LDAP_CONN::SearchRequest -\u0026gt; ntdsai!LDAP_GetRootDSEAttNetlogon -\u0026gt; netlogon!I_NetLogonLdapLookupEx -\u0026gt; netlogon!NlGetLocalPingResponse -\u0026gt; netlogon!LogonRequestHandler -\u0026gt; netlogon!BuildSamLogonResponse -\u0026gt; netlogon!NetpLogonPutUnicodeString (x3, no bounds check) -\u0026gt; netlogon!NlpUtf8ToCutf8 (x3, DNS names overflow past buffer end) No authentication is required — the CLDAP handler processes requests before any credential check.\n5b. Vulnerable Assembly and Call Stack netlogon.dll 10.0.26100.32684:\n; NetpLogonPutUnicodeString — copy loop with no output bounds check ; RVA 0x8902C 7ffb7356902c mov [rsp+10h], rbx 7ffb73569031 push rdi 7ffb73569032 sub rsp, 20h 7ffb73569036 xor edi, edi 7ffb73569038 lea r10, [netlogon!`string\u0026#39;] ; default empty string 7ffb73569047 mov rbx, r8 ; rbx = cursor pointer (a3) 7ffb7356904a mov r11d, edx ; r11d = max char count (a2) 7ffb7356904d cmovne r10, rcx ; r10 = source string if non-NULL ; ... alignment via NetpULongPtrRoundUp ... ; Copy loop: 7ffb7356907d mov eax, r11d ; eax = remaining count 7ffb73569080 dec r11d ; decrement counter 7ffb73569083 test eax, eax ; was it zero? 7ffb73569085 je done ; stop if exhausted 7ffb73569087 mov word ptr [rcx], dx ; WRITE — no bounds check on dest 7ffb7356908a add rcx, 2 ; advance dest cursor 7ffb7356908e movzx edx, word ptr [rcx+r10] ; read next source char 7ffb73569096 jne loop ; continue until null ; BuildSamLogonResponse — three calls with hardcoded max char counts ; RVA 0x6AF4C 7ffb7354afba lea edx, [rbx+24h] ; edx = 0x24 = 36 (server name) 7ffb7354afc1 call netlogon!NetpLogonPutUnicodeString 7ffb7354afca mov edx, 82h ; edx = 0x82 = 130 (username) 7ffb7354afcf mov rcx, r13 ; rcx = attacker username 7ffb7354afd2 call netlogon!NetpLogonPutUnicodeString 7ffb7354afdf lea edx, [rbx+20h] ; edx = 0x20 = 32 (domain name) 7ffb7354afe2 call netlogon!NetpLogonPutUnicodeString Call Stack (captured via KDNET at BuildSamLogonResponse entry, triggered by CLDAP ping with 130-char username):\n00 netlogon!BuildSamLogonResponse 01 netlogon!LogonRequestHandler+0x380 02 netlogon!NlGetLocalPingResponse+0x521 03 netlogon!I_NetLogonLdapLookupEx+0x59c 04 ntdsai!LDAP_GetRootDSEAttNetlogon+0x84 05 ntdsai!LDAP_GetDSEAtts+0x595 06 ntdsai!LDAP_CONN::SearchRequest+0x9f9 07 ntdsai!LDAP_CONN::ProcessRequestEx+0x334f 08 ntdsai!LDAP_CONN::IoCompletion+0x6c8 09 ntdsai!ProcessNewClient+0x162 5c. Fix (Patched Version) The May 2026 patch introduces feature flag Feature_404993339 and replaces the unsafe NetpLogonPutUnicodeString with a bounded version using RtlStringCbCopyExW:\nAspect Vulnerable Patched Copy method Manual char-by-char loop with counter RtlStringCbCopyExW with byte budget Size parameter Max character count (130 = 130 wchars = 260 bytes) Max byte count (130 = 130 bytes = 65 wchars) Return value Pointer (no error indication) DWORD (0 = success, 87 = ERROR_INVALID_PARAMETER) Caller behavior Return value ignored, no abort on overflow Every call checked; function aborts immediately on error Minimum size check None if (a2 \u0026lt; 2) return 87 Alignment overflow check None if (padding \u0026gt; remaining) return 87 The old function is preserved as NetpLogonPutUnicodeStringOld behind the feature flag:\nif ( !Feature_404993339__private_IsEnabledDeviceUsageNoInline() ) { // Legacy path — vulnerable NetpLogonPutUnicodeStringOld(server, 36, \u0026amp;cursor); NetpLogonPutUnicodeStringOld(user, 130, \u0026amp;cursor); NetpLogonPutUnicodeStringOld(domain, 32, \u0026amp;cursor); } else { // Patched path — bounded, error-checked if (NetpLogonPutUnicodeString(server, 0x24, \u0026amp;cursor)) return error; if (NetpLogonPutUnicodeString(user, 0x82, \u0026amp;cursor)) return error; if (NetpLogonPutUnicodeString(domain, 0x20, \u0026amp;cursor)) return error; } Additionally, NlGetLocalPingResponse zero-initializes the buffer when the flag is enabled:\nif (Feature_404993339__private_IsEnabledDeviceUsageNoInline()) memset(Src, 0, 0x208); 5d. Impact A single unauthenticated CLDAP packet (UDP 389) crashes the LSASS process on a vulnerable domain controller, forcing a system reboot. The overflow corrupts the GS stack cookie placed by BuildSamLogonResponse, triggering __fastfail(FAST_FAIL_STACK_COOKIE_CHECK_FAILURE) which terminates LSASS with exception code 0xc0000409 (STATUS_STACK_BUFFER_OVERRUN). Since LSASS hosts all authentication services (Kerberos, NTLM, Netlogon secure channel), its crash denies authentication to the entire Active Directory domain until the DC reboots. This was confirmed experimentally: a DC with the domain name \u0026ldquo;dept.division.engineering.enterprise.corporation.local\u0026rdquo; (54 characters) crashed and rebooted upon receiving the PoC packet.\nAchieving remote code execution beyond DoS is unlikely in practice. The bytes that overflow the buffer boundary are the server\u0026rsquo;s own DNS-compressed hostname and domain labels, not attacker-controlled data. Even if the GS stack cookie could be bypassed (e.g., via a separate information disclosure), the attacker cannot place a controlled return address in the overflow region. The return address for NlGetLocalPingResponse sits 72 bytes (0x48) past the buffer end, while the maximum measured overflow with a 63-character DNS hostname label was approximately 51 bytes — 21 bytes short of reaching the return address. Extending the overflow further would require multiple long DNS subdomain labels in the server\u0026rsquo;s FQDN, which is limited by the 255-character DNS name maximum.\nSection 6: Proof-of-Concept 6a. PoC Code Download poc_cve_2026_41089.py (enterprise email verification required)\n6b. Reproduce Instructions Prerequisites:\nTarget: Windows Server domain controller (pre-patch, without KB5089549) with a DNS domain name of 50+ characters Attacker: Python 3 with pyasn1 library Network: UDP port 389 accessible from attacker to DC (Windows Firewall may need to be disabled) Steps:\nEnsure the target DC\u0026rsquo;s DNS domain name is sufficiently long. For testing, promote a server as a DC with a domain like dept.division.engineering.enterprise.corporation.local and set a long DNS hostname (up to 63 characters for the hostname label).\nVerify CLDAP connectivity with a benign ping (short username):\npython poc_cve_2026_41089.py \u0026lt;DC_IP\u0026gt; \u0026lt;dns_domain\u0026gt; 10 Expected: \u0026ldquo;Response received: NNN bytes\u0026rdquo;\nSend the overflow payload (130-character username):\npython poc_cve_2026_41089.py \u0026lt;DC_IP\u0026gt; \u0026lt;dns_domain\u0026gt; 130 Expected outcome: no CLDAP response (timeout). The LSASS process crashes with exception 0xc0000409. The domain controller reboots within approximately 60 seconds. After reboot, LSASS and Netlogon restart normally.\nVerify crash in the Application event log on the DC:\nFaulting application name: lsass.exe Faulting module name: netlogon.DLL Exception code: 0xc0000409 6c. Test Results Test environment: LONGDOMAINDC01.dept.division.engineering.enterprise.corporation.local (10.0.50.21)\nMetric Short domain (example.com) Long domain (54 chars) Buffer size 528 bytes 528 bytes Total data written 363 bytes 492+ bytes Overflow past buffer 0 bytes 2 bytes (14-char hostname) LSASS crash No Yes (with 63-char hostname) Exception code N/A 0xc0000409 (STATUS_STACK_BUFFER_OVERRUN) DC reboot No Yes Attack packets 1 1 Authentication required No No Overflow scaling by DNS hostname length:\nHostname label length Overflow extent Result 14 chars 2 bytes No crash (below stack cookie) ~30 chars ~18 bytes Stack cookie corrupted, crash 63 chars (max DNS label) ~51 bytes Confirmed crash + DC reboot Stack layout past the buffer:\nOffset from buffer end Content +0x00 GS stack cookie (corrupted at 2+ bytes overflow) +0x48 (72 bytes) NlGetLocalPingResponse return address (requires 72+ bytes to reach) WER crash log:\nFaulting application name: lsass.exe, version: 10.0.26100.7309 Faulting module name: netlogon.DLL, version: 10.0.26100.32522 Exception code: 0xc0000409 Fault offset: 0x000000000002399d Faulting process id: 0x31C 6d. Patched System Verification The patched netlogon.dll (KB5089549, SHA256: A5973376...) was tested on the patched DC. When Feature_404993339 is enabled, BuildSamLogonResponse calls the new NetpLogonPutUnicodeString which uses RtlStringCbCopyExW with a byte-count budget. The same CLDAP packet sent to the patched DC returned a normal 166-byte response. No overflow, no crash.\nSection 7: Detection Note: The detection rules below are provided as a starting point. Validate and tune them in your own environment before deploying to production.\nSection 7A: Network-Based Detection Signature-Based Detection The attack uses CLDAP (LDAP over UDP 389) with a SearchRequest containing a \u0026ldquo;User\u0026rdquo; filter attribute with an unusually long value (100+ UTF-8 bytes). Legitimate DC locator pings typically have short usernames (under 20 characters) or omit the User attribute entirely. The NtVer attribute value must have bits 2-3 clear (typically \\x02\\x00\\x00\\x00) to trigger the vulnerable non-EX response path — legitimate clients almost always set NtVer=6 (which includes the 5EX bit and takes a different, non-vulnerable code path).\nSuricata Rules # Detect CLDAP DC locator ping with oversized User attribute alert udp $EXTERNAL_NET any -\u0026gt; $HOME_NET 389 (msg:\u0026#34;CVE-2026-41089 Netlogon CLDAP overflow - long User in DC ping\u0026#34;; \\ content:\u0026#34;|30|\u0026#34;; depth:1; \\ content:\u0026#34;User\u0026#34;; nocase; \\ isdataat:100,relative; \\ threshold:type limit, track by_src, count 1, seconds 60; \\ reference:cve,2026-41089; \\ classtype:attempted-admin; \\ sid:2026041089; rev:1;) # Detect CLDAP with NtVer=2 (non-EX path, required for exploit) and User attribute alert udp $EXTERNAL_NET any -\u0026gt; $HOME_NET 389 (msg:\u0026#34;CVE-2026-41089 Netlogon CLDAP overflow - NtVer non-EX path\u0026#34;; \\ content:\u0026#34;|30|\u0026#34;; depth:1; \\ content:\u0026#34;NtVer\u0026#34;; \\ content:\u0026#34;|04 04 02 00 00 00|\u0026#34;; distance:0; within:8; \\ content:\u0026#34;User\u0026#34;; \\ isdataat:80,relative; \\ reference:cve,2026-41089; \\ classtype:attempted-admin; \\ sid:2026041090; rev:1;) Byte Offset Reference Offset Field Description 0 0x30 LDAP Message (BER SEQUENCE tag) +2-4 Message ID BER INTEGER +5 0x63 SearchRequest (APPLICATION[3] CONSTRUCTED) variable Base DN Empty OCTET STRING (0x04 0x00) variable Scope ENUMERATED 0 (baseObject) variable Filter AND filter (0xA0) containing DnsDomain, User, NtVer variable User value OCTET STRING — attack payload (100+ bytes of UTF-8) variable NtVer value OCTET STRING — 4 bytes LE (0x02 0x00 0x00 0x00 for exploit) variable Attributes SEQUENCE containing \u0026ldquo;Netlogon\u0026rdquo; Section 7B: Host-Based Detection (YARA) The following YARA rules detect vulnerable (unpatched) versions of netlogon.dll by matching the byte patterns of the unsafe NetpLogonPutUnicodeString copy loop and the three consecutive unbounded calls in BuildSamLogonResponse.\nrule CVE_2026_41089_Netlogon_Vulnerable_PutUnicodeString { meta: description = \u0026#34;Detects vulnerable NetpLogonPutUnicodeString in netlogon.dll (unbounded copy loop)\u0026#34; cve = \u0026#34;CVE-2026-41089\u0026#34; component = \u0026#34;netlogon.dll\u0026#34; severity = \u0026#34;Critical\u0026#34; type = \u0026#34;vulnerability\u0026#34; strings: // NetpLogonPutUnicodeString copy loop — no output bounds check // mov eax, r11d; dec r11d; test eax, eax; je short; mov [rcx], dx; add rcx, 2 $copy_loop = { 44 89 D8 // mov eax, r11d 41 FF CB // dec r11d 85 C0 // test eax, eax 74 ?? // je done 66 89 11 // mov word ptr [rcx], dx 48 83 C1 02 // add rcx, 2 } // BuildSamLogonResponse — three calls with hardcoded max char counts 0x24, 0x82, 0x20 // lea edx, [rbx+24h]; call \u0026lt;NetpLogonPutUnicodeString\u0026gt; // mov edx, 82h // call \u0026lt;NetpLogonPutUnicodeString\u0026gt; // lea edx, [rbx+20h]; call \u0026lt;NetpLogonPutUnicodeString\u0026gt; $three_calls = { 8D 53 24 // lea edx, [rbx+24h] E8 ?? ?? ?? ?? // call NetpLogonPutUnicodeString [0-16] BA 82 00 00 00 // mov edx, 82h [0-8] E8 ?? ?? ?? ?? // call NetpLogonPutUnicodeString [0-16] 8D 53 20 // lea edx, [rbx+20h] E8 ?? ?? ?? ?? // call NetpLogonPutUnicodeString } condition: uint16(0) == 0x5A4D and ($copy_loop or $three_calls) and for any i in (0..pe.number_of_sections - 1) : ( pe.sections[i].name == \u0026#34;.text\u0026#34; ) } rule CVE_2026_41089_Netlogon_Patched { meta: description = \u0026#34;Detects patched netlogon.dll with Feature_404993339 and RtlStringCbCopyExW\u0026#34; cve = \u0026#34;CVE-2026-41089\u0026#34; component = \u0026#34;netlogon.dll\u0026#34; type = \u0026#34;patch_verification\u0026#34; strings: $feature_flag = \u0026#34;Feature_404993339\u0026#34; ascii wide $safe_copy = \u0026#34;RtlStringCbCopyExW\u0026#34; ascii condition: uint16(0) == 0x5A4D and $feature_flag and $safe_copy } Usage:\n# Scan a single DLL yara -s cve_2026_41089.yar C:\\Windows\\System32\\netlogon.dll # Scan all domain controllers in a share yara -r cve_2026_41089.yar \\\\dc01\\c$\\Windows\\System32\\netlogon.dll Rule Match means CVE_2026_41089_Netlogon_Vulnerable_PutUnicodeString Unpatched — vulnerable to CVE-2026-41089 CVE_2026_41089_Netlogon_Patched Patched — KB5089549 applied with Feature_404993339 Section 8: References Source URL Microsoft Advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089 MITRE CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41089 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-41089 Microsoft KB (Server 2025) https://support.microsoft.com/help/KB5089549 ","permalink":"https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/","summary":"\u003ch2 id=\"section-1-overview\"\u003eSection 1: Overview\u003c/h2\u003e\n\u003cp\u003eA stack-based buffer overflow vulnerability exists in the Windows Netlogon service\u0026rsquo;s DC locator ping response handler. When a domain controller processes a CLDAP search request, it serializes response data including attacker-supplied and server-side strings into a fixed-size stack buffer without adequate bounds checking. An unauthenticated remote attacker can send a single crafted CLDAP packet to a domain controller\u0026rsquo;s UDP port 389, causing the Netlogon service to crash the LSASS process and force the domain controller to reboot. The exploitability depends on the target domain controller\u0026rsquo;s DNS naming configuration — domain controllers with longer DNS domain names and hostnames are vulnerable. Microsoft addressed this vulnerability in the May 2026 security update.\u003c/p\u003e","title":"CVE-2026-41089 — Microsoft Windows Netlogon BuildSamLogonResponse Stack-based Buffer Overflow RCE"},{"content":"Aretiq AI is a technology company focused on building intelligent solutions.\nFor inquiries, contact us at admin@aretiq.ai.\n","permalink":"https://aretiq.ai/about/","summary":"\u003cp\u003eAretiq AI is a technology company focused on building intelligent solutions.\u003c/p\u003e\n\u003cp\u003eFor inquiries, contact us at \u003ca href=\"mailto:admin@aretiq.ai\"\u003eadmin@aretiq.ai\u003c/a\u003e.\u003c/p\u003e","title":"About"},{"content":"We\u0026rsquo;d love to hear from you. Fill out the form below or email us directly.\nEmail: admin@aretiq.ai | Business: business@aretiq.ai | HR: hr@aretiq.ai\nName Email Message Send Message ","permalink":"https://aretiq.ai/contact/","summary":"\u003cp\u003eWe\u0026rsquo;d love to hear from you. Fill out the form below or email us directly.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eEmail:\u003c/strong\u003e \u003ca href=\"mailto:admin@aretiq.ai\"\u003eadmin@aretiq.ai\u003c/a\u003e | \u003cstrong\u003eBusiness:\u003c/strong\u003e \u003ca href=\"mailto:business@aretiq.ai\"\u003ebusiness@aretiq.ai\u003c/a\u003e | \u003cstrong\u003eHR:\u003c/strong\u003e \u003ca href=\"mailto:hr@aretiq.ai\"\u003ehr@aretiq.ai\u003c/a\u003e\u003c/p\u003e\n\u003cform id=\"contact-form\" method=\"POST\" action=\"/api/contact\" style=\"max-width:500px;margin-top:2rem;\"\u003e\n  \u003cdiv style=\"margin-bottom:1rem;\"\u003e\n    \u003clabel for=\"name\" style=\"display:block;margin-bottom:0.3rem;font-weight:bold;\"\u003eName\u003c/label\u003e\n    \u003cinput type=\"text\" id=\"name\" name=\"name\" required style=\"width:100%;padding:0.5rem;border:1px solid #ccc;border-radius:4px;background:var(--entry);color:var(--primary);\"\u003e\n  \u003c/div\u003e\n  \u003cdiv style=\"margin-bottom:1rem;\"\u003e\n    \u003clabel for=\"email\" style=\"display:block;margin-bottom:0.3rem;font-weight:bold;\"\u003eEmail\u003c/label\u003e\n    \u003cinput type=\"email\" id=\"email\" name=\"email\" required style=\"width:100%;padding:0.5rem;border:1px solid #ccc;border-radius:4px;background:var(--entry);color:var(--primary);\"\u003e\n  \u003c/div\u003e\n  \u003cdiv style=\"margin-bottom:1rem;\"\u003e\n    \u003clabel for=\"message\" style=\"display:block;margin-bottom:0.3rem;font-weight:bold;\"\u003eMessage\u003c/label\u003e\n    \u003ctextarea id=\"message\" name=\"message\" rows=\"5\" required style=\"width:100%;padding:0.5rem;border:1px solid #ccc;border-radius:4px;background:var(--entry);color:var(--primary);\"\u003e\u003c/textarea\u003e\n  \u003c/div\u003e\n  \u003cbutton type=\"submit\" style=\"padding:0.6rem 1.5rem;background:#0066cc;color:white;border:none;border-radius:4px;cursor:pointer;font-size:1rem;\"\u003eSend Message\u003c/button\u003e\n  \u003cp id=\"form-status\" style=\"margin-top:1rem;\"\u003e\u003c/p\u003e\n\u003c/form\u003e\n\u003cscript\u003e\ndocument.getElementById('contact-form').addEventListener('submit', function(e) {\n  e.preventDefault();\n  var form = this;\n  var status = document.getElementById('form-status');\n  var btn = form.querySelector('button');\n  btn.disabled = true;\n  btn.textContent = 'Sending...';\n  \n  fetch('/api/contact', {\n    method: 'POST',\n    body: new FormData(form)\n  }).then(function(r) { return r.json(); }).then(function(data) {\n    if (data.success) {\n      status.textContent = 'Message sent successfully! We will get back to you soon.';\n      status.style.color = '#28a745';\n      form.reset();\n    } else {\n      status.textContent = data.error || 'Something went wrong.';\n      status.style.color = '#dc3545';\n    }\n    btn.disabled = false;\n    btn.textContent = 'Send Message';\n  }).catch(function() {\n    status.textContent = 'Failed to send. Please try again.';\n    status.style.color = '#dc3545';\n    btn.disabled = false;\n    btn.textContent = 'Send Message';\n  });\n});\n\u003c/script\u003e","title":"Contact"},{"content":"Proof-of-concept code and technical resources from our research.\nEnterprise email verification is required to prevent abuse of our work. We publish PoC code to support defensive security — not to enable attacks.\nNo enterprise email? Follow us on X (@AretiqAI) and send us a DM.\nLoading available downloads...\nVerify your email to download Enterprise email required to prevent misuse. Free email providers (Gmail, Yahoo, etc.) are not accepted.\nWork Email Send Download Link Cancel ","permalink":"https://aretiq.ai/downloads/","summary":"\u003cp\u003eProof-of-concept code and technical resources from our research.\u003c/p\u003e\n\u003cp\u003eEnterprise email verification is required to prevent abuse of our work. We publish PoC code to support defensive security — not to enable attacks.\u003c/p\u003e\n\u003cp\u003eNo enterprise email? Follow us on \u003ca href=\"https://x.com/AretiqAI\"\u003eX (@AretiqAI)\u003c/a\u003e and send us a DM.\u003c/p\u003e\n\u003cdiv id=\"downloads-app\"\u003e\n  \u003cdiv id=\"file-list\" style=\"margin:2rem 0;\"\u003e\n    \u003cp\u003eLoading available downloads...\u003c/p\u003e\n  \u003c/div\u003e\n  \u003cdiv id=\"email-modal\" style=\"display:none;padding:1.5rem;border:1px solid #ccc;border-radius:8px;max-width:400px;margin-top:1rem;background:var(--entry);\"\u003e\n    \u003ch3 style=\"margin-top:0;\"\u003eVerify your email to download\u003c/h3\u003e\n    \u003cp style=\"font-size:0.9rem;color:var(--secondary);\"\u003eEnterprise email required to prevent misuse. Free email providers (Gmail, Yahoo, etc.) are not accepted.\u003c/p\u003e\n    \u003cform id=\"download-form\"\u003e\n      \u003cinput type=\"hidden\" id=\"dl-file\" name=\"file\"\u003e\n      \u003cdiv style=\"margin-bottom:1rem;\"\u003e\n        \u003clabel for=\"dl-email\" style=\"display:block;margin-bottom:0.3rem;font-weight:bold;\"\u003eWork Email\u003c/label\u003e\n        \u003cinput type=\"email\" id=\"dl-email\" name=\"email\" placeholder=\"you@company.com\" required style=\"width:100%;padding:0.5rem;border:1px solid #ccc;border-radius:4px;background:var(--entry);color:var(--primary);\"\u003e\n      \u003c/div\u003e\n      \u003cbutton type=\"submit\" style=\"padding:0.6rem 1.5rem;background:#0055cc;color:white;border:none;border-radius:4px;cursor:pointer;font-size:1rem;\"\u003eSend Download Link\u003c/button\u003e\n      \u003cbutton type=\"button\" onclick=\"document.getElementById('email-modal').style.display='none'\" style=\"padding:0.6rem 1rem;background:transparent;color:var(--primary);border:1px solid #ccc;border-radius:4px;cursor:pointer;margin-left:0.5rem;\"\u003eCancel\u003c/button\u003e\n      \u003cp id=\"dl-status\" style=\"margin-top:1rem;\"\u003e\u003c/p\u003e","title":"Downloads"},{"content":"Our Commitment Aretiq AI is committed to improving the security of software and systems used by organizations and individuals worldwide. When we discover a vulnerability, we follow a coordinated disclosure process that balances the urgency of protecting users with giving vendors a fair opportunity to develop and release patches.\nDisclosure Timeline 90 days from the date we notify the vendor for standard vulnerabilities. 120 days for complex issues that involve multiple vendors, multi-party coordination, or require extensive architectural changes. If a vendor releases a patch before the deadline, we may publish our advisory shortly after the patch is made available to allow time for deployment. If a vendor is unresponsive after multiple contact attempts over 30 days, the 90-day clock starts from our first documented outreach. Extensions We may grant a one-time extension of up to 14 days if:\nThe vendor is actively working on a fix and can demonstrate meaningful progress. A patch is confirmed but requires additional time for quality assurance or coordinated rollout. Extensions are not granted indefinitely. We believe firm deadlines protect end users and incentivize timely remediation.\nWhat We Publish After the disclosure deadline or patch release (whichever comes first), we publish an advisory that may include:\nVulnerability description and root cause analysis Affected products and versions CVSS severity assessment Detection guidance Proof-of-concept code (gated behind enterprise email verification to prevent abuse) We do not publish weaponized exploits. Our proof-of-concept code is designed to demonstrate the vulnerability for defensive purposes only.\nWhat We Expect From Vendors Acknowledge receipt of our report within 5 business days. Provide a CVE identifier or confirm one will be requested. Communicate a remediation timeline. Credit Aretiq AI in the security advisory. Standards Alignment This policy is informed by:\nISO/IEC 29147 (Vulnerability Disclosure) ISO/IEC 30111 (Vulnerability Handling Processes) CERT/CC Coordinated Vulnerability Disclosure guidelines ","permalink":"https://aretiq.ai/disclosure-policy/","summary":"\u003ch2 id=\"our-commitment\"\u003eOur Commitment\u003c/h2\u003e\n\u003cp\u003eAretiq AI is committed to improving the security of software and systems used by organizations and individuals worldwide. When we discover a vulnerability, we follow a coordinated disclosure process that balances the urgency of protecting users with giving vendors a fair opportunity to develop and release patches.\u003c/p\u003e\n\u003ch2 id=\"disclosure-timeline\"\u003eDisclosure Timeline\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e90 days\u003c/strong\u003e from the date we notify the vendor for standard vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e120 days\u003c/strong\u003e for complex issues that involve multiple vendors, multi-party coordination, or require extensive architectural changes.\u003c/li\u003e\n\u003cli\u003eIf a vendor releases a patch before the deadline, we may publish our advisory shortly after the patch is made available to allow time for deployment.\u003c/li\u003e\n\u003cli\u003eIf a vendor is unresponsive after multiple contact attempts over 30 days, the 90-day clock starts from our first documented outreach.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"extensions\"\u003eExtensions\u003c/h2\u003e\n\u003cp\u003eWe may grant a one-time extension of up to 14 days if:\u003c/p\u003e","title":"Responsible Disclosure Policy"}]