Executive Summary

CVE-2026-32631 is a security vulnerability in Git for Windows versions prior to 2.53.0.windows.3. It occurs when a user clones a malicious repository or checks out a malicious branch that contains symbolic links pointing to network drives. During the checkout process, Git follows these symbolic links, causing Windows to perform NTLM authentication automatically and send the user's NTLMv2 hash to an attacker-controlled server.

Because NTLM authentication does not require user interaction by default, attackers can capture the NTLM hash without the user's knowledge. Although brute-forcing the NTLMv2 hash to recover credentials is computationally expensive, it is possible. This vulnerability allows attackers to potentially obtain user credentials by exploiting this behavior.

The issue was fixed in Git for Windows version 2.53.0.windows.3 by preventing Git from following symbolic links that point to network drives during checkout.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the disclosure of your NTLM authentication hash to an attacker if you clone or check out a malicious Git repository or branch. The attacker can then attempt to brute-force the captured NTLMv2 hash to recover your credentials.

If successful, the attacker could impersonate you on the network or access resources that require your credentials, potentially leading to unauthorized access to sensitive data or systems.

Because NTLM authentication is performed transparently without user interaction, you might not be aware that your credentials have been exposed.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring NTLM authentication events, especially those related to NTLMv1-derived credential generation requests. Windows 11 version 24H2 and Windows Server 2025 introduce auditing capabilities that log NTLMv1-derived credential requests in the Microsoft-Windows-NTLM/Operational event log.

Specifically, enabling the registry key at `HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\msv1_0` with the value `BlockNtlmv1SSO` set to 0 (Audit mode) will log warnings (Event ID 4024) when NTLMv1-derived credentials are generated. These logs provide detailed information including target server, user, process ID, process name, and domain.

By reviewing these event logs, administrators can detect suspicious NTLM authentication attempts that may indicate exploitation attempts related to CVE-2026-32631.

While specific commands are not provided in the resources, typical detection steps include:

• Enable auditing for NTLM events via the registry key `BlockNtlmv1SSO`.
• Use Event Viewer to monitor the Microsoft-Windows-NTLM/Operational log for Event IDs 4024 (audit warnings) and 4025 (enforcement errors).
• Use PowerShell commands such as `Get-WinEvent` or `wevtutil` to query NTLM event logs, for example: `Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | Where-Object { $_.Id -eq 4024 -or $_.Id -eq 4025 }`.

Additionally, monitoring Git for Windows usage and ensuring versions prior to 2.53.0.windows.3 are identified can help detect vulnerable installations.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Git for Windows to version 2.53.0.windows.3 or later, which includes a fix that prevents Git from following symbolic links pointing to network drives during checkout, thereby stopping the NTLM hash disclosure.

Additionally, organizations should consider enabling the enforcement mode for blocking NTLMv1-derived credentials by setting the registry key `BlockNtlmv1SSO` to 1 under `HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\msv1_0`. This blocks NTLMv1-derived credential generation and logs errors (Event ID 4025), reducing the attack surface.

Enabling Windows Credential Guard where possible is also recommended, as it fully protects against NTLMv1 legacy cryptography and related attack surfaces.

Finally, educating users to avoid cloning or checking out branches from untrusted or suspicious repositories can reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-32631 allows attackers to obtain a user's NTLM hash by tricking them into cloning or checking out malicious Git repositories, potentially leading to credential compromise through brute-forcing NTLMv2 hashes.

Since this vulnerability can lead to unauthorized access to user credentials, it poses a risk to the confidentiality of sensitive information, which is a critical requirement under compliance standards such as GDPR and HIPAA.

Organizations subject to these regulations must ensure that software vulnerabilities like this are patched promptly to prevent unauthorized access and data breaches that could result in non-compliance and legal consequences.

The vulnerability highlights the risks associated with legacy authentication protocols like NTLM, which are being deprecated and replaced by more secure methods such as Kerberos, as part of broader security improvements in Windows platforms.

Useful 0 Not Useful 0