ThreatLevelBeta
Emergency Fix

CVE-2026-20929

Kerberos relay via DNS CNAME (HTTP.sys) (Credential relay / auth-bypass)
Loading...

Summary

A Kerberos authentication relay technique abuses DNS CNAME responses to coerce Windows clients into requesting service tickets for attacker-chosen SPNs; where target services do not enforce signing or channel binding tokens (CBT), those tickets can be relayed to authenticate as the victim. Microsoft fixed the HTTP.sys component (added CBT support) in the January 2026 updates. The issue enables credential relay, lateral movement and privilege escalation when an attacker can manipulate DNS resolution (MITM position).

Why Emergency Fix?

4/6
No authentication required
Deployment unknown
No user interaction needed
Exploitable in default configuration
Public PoC available
Not a high impact vulnerability

Exploitation Details

Type
Auth Bypass (Authentication Bypass)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.comcymulate.comintruceptlabs.com
Impact

Impersonate domain users and relay Kerberos service tickets to access SMB/HTTP/LDAP services, enabling lateral movement and potential privilege escalation or SYSTEM/domain compromise.

Exploitation Requirements
  • Network MITM position able to intercept/modify DNS (ARP/DHCP/DNS poisoning or ot
  • target service accepts Kerberos without mandatory signing or Channel Binding Tok
  • victim uses Windows Kerberos client that follows CNAME to build SPN
  • ability to relay captured tickets to target service.
Exploitation Process

An on-path attacker intercepts or modifies victim DNS responses and returns a CNAME alias pointing the requested service name to an attacker-controlled hostname. The Windows client follows the CNAME and builds a Kerberos TGS request using the CNAME as the Service Principal Name (SPN). The attacker captures/relays the resulting tickets (for example using a modified MITM6 to perform CNAME poisoning and krbrelayx to relay/authenticate) to a target service (SMB, HTTP, AD CS, LDAP) that does not enforce signing/CBT; the relayed authentication is accepted by the target and yields unauthorized access or privileged actions.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Microsoft
ProductAffected Versions
Windows HTTP.sys (HTTP Server API)Affected Windows versions include multiple supported Windows Server and Windows 10/11 builds prior to the January 2026 security updates that backported fixes to HTTP.sys (see vendor advisory for exact build cutoffs).
Description

HTTP.sys is the Windows kernel-mode HTTP protocol stack (HTTP Server API) used by IIS and other Windows services to listen for and process HTTP/HTTPS requests on Windows Server and client editions.

Deployment:
|
Protocol:HTTP/HTTPS
|
Ports:80, 443
Affected ComponentThe HTTP.sys kernel driver (HTTP Server API) handling incoming HTTP/HTTPS requests and channel-binding enforcement for HTTP-based services.

The HTTP.sys kernel driver (HTTP Server API) handling incoming HTTP/HTTPS requests and channel-binding enforcement for HTTP-based services.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile14%

Worse than 14% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules9
KQL
KQL: SecurityEvent EventID=4769 | where ServiceName notin(expected_SPNS) and AccountType == 'User' — alert on anomalous/new SPN TGS requests
Other
SIEM pattern: correlate DNS responses with Kerberos TGS requests — if DNS response contains CNAME->attacker_ip and subsequent EventID 4769 references the CNAME SPN, escalate
Other
Network IDS/Suricata: detect DNS responses with CNAME for internal hostname where the CNAME target is external/unexpected
Other
KQL/Sigma: detect creation/execution of processes named mitm6-cname.py or krbrelayx on hosts in network segment
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.

CVSS Base Score

7.5
High

CVSS Vector (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-284 Improper Access Control
|
NVD:CVE-2026-20929
|
Version From:
|
Version Upto:10.0.14393.8783, 10.0.14393.8783, 10.0.17763.8276, 10.0.17763.8276, 10.0.19044.6809, 10.0.19045.6809, 10.0.22631.6491, 10.0.14393.8783, 10.0.17763.8276, 10.0.20348.4648, 10.0.25398.2092

Affected Software (CPE) (16)

  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*

Sources

7
SourceArticle
msrc.microsoft.comhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20929
nvd.nist.govhttps://nvd.nist.gov/vuln/detail/cve-2026-20929
cymulate.comhttps://cymulate.com/blog/kerberos-authentication-relay-via-cname-abuse/
github.comhttps://github.com/BenZamir/MITM6-Kerberos-CNAME-Abuse
www.semperis.comhttps://www.semperis.com/blog/what-you-need-to-know-windows-admin-center-remote-privilege-escalation-cve-2026-26119/
www.sentinelone.comhttps://www.sentinelone.com/vulnerability-database/cve-2026-20929/
intruceptlabs.comhttps://intruceptlabs.com/2026/01/dns-cname-used-as-relay-attack-for-new-kerberos-poc-released/

Priority History

Emergency FixLoading...

Initial analysis