CVE-2026-26128 is an elevation of privilege vulnerability in Windows SMB Server caused by improper authentication. Based on the provided content, the issue is reachable through an SMB reflection scenario involving relayed Kerberos authentication. Researchers described a technique that forwards a Kerberos AP-REQ back to the local SMB service from a local IP address so that Windows SMB Server accepts the reflected authentication and grants elevated access. The vulnerability was assigned after prior remote-code-execution reflection paths were blocked by earlier SMB changes; the remaining exploitable condition allowed conversion of the technique into a local privilege escalation issue. Successful exploitation results in the SMB service treating the reflected machine-context authentication as sufficiently trusted, leading to execution or access as NT AUTHORITY\SYSTEM.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a standalone Python exploit for CVE-2026-26128, described as Kerberos reflection via a Unicode SPN bypass in Windows Active Directory. The main entry point is CVE-2026-26128.py, which orchestrates the full attack chain: parse operator credentials and target parameters, derive a crafted Unicode hostname from the chosen target, add that hostname as an AD-integrated DNS A record via LDAP, wait for propagation, start a local SMB relay server on port 445, and then trigger coerced authentication from the victim/DC using either PetitPotam (EFSRPC) or DFSCoerce (DFSNM). When the coerced Kerberos authentication reaches the attacker SMB listener, the code extracts the AP-REQ/SPN and relays it to a configured target service. Repository structure is modular. lib/dns contains LDAP-based ADIDNS management used to add/remove the malicious DNS record. lib/coerce contains the coercion primitives: petitpotam.py triggers EFSRPC-based UNC access to \\<listener>\test\Settings.ini, and dfscoerce.py triggers DFSNM-based coercion over \\PIPE\netdfs. lib/servers contains the relay listeners, especially smbrelayserver.py, which implements the SMB listener and includes Unicode normalization logic to match the relayed SPN hostname back to the intended target. httprelayserver.py provides HTTP/WebDAV relay handling. lib/clients contains protocol relay clients for HTTP/HTTPS and MSSQL. The HTTP client relays Kerberos to web targets such as AD CS Web Enrollment; the MSSQL client performs Kerberos-authenticated TDS login and supports execution of operator-supplied SQL queries through ntlmrelayx attack plumbing. lib/utils contains configuration and Kerberos/SPNEGO parsing helpers. Primary exploit capability is Kerberos relay enabled by a Unicode hostname confusion trick: the tool registers a Unicode lookalike DNS name that resolves to the attacker, causing the target/DC to request a service ticket and connect to the attacker-controlled SMB service. The SMB relay server then forwards the Kerberos authentication to a chosen target. For AD CS targets, the expected result is issuance of a machine certificate saved as a .pfx file, after which the tool prints a gettgtpkinit.py command to obtain a TGT via PKINIT. For MSSQL targets, the exploit can authenticate and run arbitrary SQL queries provided with -q/--query. This is clearly exploit code rather than a detector, and it is operational because it contains end-to-end attack logic and usable payload actions, though payload customization is relatively basic and not embedded in a larger exploitation framework.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A universal local privilege escalation vulnerability based on relaying a Kerberos AP-REQ from a local IP address back to the target's SMB service, enabling privileged SMB sessions via Kerberos loopback reflection.
An elevation-of-privilege vulnerability in Windows SMB Server that can allow an attacker to obtain SYSTEM privileges.
An important Windows SMB Server elevation of privilege vulnerability caused by improper authentication that could allow an authorized attacker to gain SYSTEM privileges over a network.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.