CVE-2026-20929 is a Windows HTTP.sys privilege-escalation vulnerability arising from improper access control in HTTP-based Kerberos authentication handling. The issue is described as enabling Kerberos authentication relay through DNS CNAME record abuse: an on-path attacker who can intercept or modify DNS responses can return a crafted CNAME and A record so that a Windows client constructs a Kerberos SPN using an attacker-chosen hostname. The victim then requests a service ticket for that SPN and presents it to attacker-controlled infrastructure, which can relay the authentication to HTTP-based services that do not adequately enforce anti-relay protections. The supplied content indicates Microsoft addressed the HTTP attack surface by implementing and backporting channel binding token (CBT) / Extended Protection for Authentication-related support in HTTP.sys across supported Windows Server versions in the January 2026 security updates. The underlying reporting particularly highlights abuse against AD CS Web Enrollment (/certsrv), where relayed Kerberos authentication could be used to obtain a certificate in the victim's name.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft security update that backported Extended Protection for Authentication/channel binding enforcement to affected Windows versions as part of the fix path for the Windows Admin Center authentication reflection issue.
A Kerberos authentication relay vulnerability that abuses DNS CNAME-based SPN manipulation to relay authentication, particularly to AD CS web enrollment endpoints, enabling certificate enrollment for victim accounts and persistent access.
A Microsoft Windows HTTP.sys security issue addressed by adding/backporting Channel Binding Token (CBT) support to reduce Kerberos relay risk for HTTP-based services; patched in January 2026 updates.
A Windows HTTP.sys Kerberos/credential relay-related vulnerability addressed by Microsoft’s January 2026 updates by adding/expanding Channel Binding Token (CBT) support for HTTP.sys, mitigating HTTP relay scenarios stemming from DNS CNAME-based Kerberos coercion/relay techniques.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.