LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089

Rule Info

Name
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409). This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability, which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service, leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
Reference
https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/
Date
2026-06-02 00:00:00
Modified
None
Id
f8a66a02-4a16-46e5-b7fd-a42c8a93d137
Tags
attack.impact attack.t1499 cve.2026-41089 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f8a66a02-4a16-46e5-b7fd-a42c8a93d137

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #6041 from @swachchhanda000 - Add `LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089`
2026-06-11
db9fdfbfe
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022