CVE- 2026-26128 is a high-severity Windows vulnerability (CVSS: 7.8) affecting several versions of Microsoft Windows 10, allowing domain users to escalate privileges to SYSTEM through Kerberos reflection attacks. Despite no confirmed exploitation so far, a proof-of-concept exploit is publicly available. The flaw exploits discrepancies in how Windows components process Unicode characters, enabling malicious actors to relay their own authentication back to the target machine.
Microsoft patched this issue in March 2026, and users are advised to update their systems to mitigate risks. SMB signing is a critical preventive measure for all Windows versions.