A newly disclosed CVE‑2026‑46204 allows unauthenticated attackers to execute arbitrary code via crafted SMB packets. All supported Windows 10, Windows 11, and Windows Server 2022 releases are vulnerable. Microsoft has issued patches that must be applied immediately.
Immediate Impact
A remote code execution (RCE) vulnerability, CVE‑2026‑46204, has been assigned a CVSS 3.1 base score of 9.8 (Critical). The flaw resides in the SMBv3 driver (`srv2.sys`). An attacker who can send a specially crafted SMB packet to a vulnerable system can achieve SYSTEM‑level code execution without any user interaction.
The vulnerability is wormable; malware can propagate across a network automatically, similar to the 2020 PrintNightmare exploits. Enterprises with internal file‑sharing services are at highest risk.
Affected Products and Versions
| Product | Versions Affected | Support Status |
|---|---|---|
| Windows 10 | 22H2, 21H2, 20H2, 1909 | Supported (security updates) |
| Windows 11 | 22H2, 23H2 | Supported |
| Windows Server 2022 | All releases | Supported |
| Windows Server 2019 | Not affected (different SMB stack) |
All installations that have the SMBv3 driver version 10.0.19041.XXXX or later are vulnerable. The issue does not affect Windows 7, Windows 8.1, or legacy SMB1 deployments.
Technical Details
- Root Cause – The SMBv3 driver fails to properly validate the length field in the `SMB2_TRANSFORM_HEADER`. An oversized length triggers a heap overflow in kernel memory.
- Exploit Path – The overflow overwrites adjacent function pointers. By controlling the overwritten pointer, an attacker can redirect execution to attacker‑controlled shellcode placed in a non‑paged pool.
- Pre‑conditions – The target must have SMBv3 enabled and listening on TCP port 445. No authentication is required; the packet can be sent from any IP address that can reach the host.
- Impact – Successful exploitation yields SYSTEM privileges, allowing full control of the host, credential dumping, and lateral movement.
- Detection – The exploit leaves a distinctive pattern in the kernel memory allocation logs. Windows Event ID 22, source Microsoft-Windows-SMBServer, may show repeated malformed SMB requests.
Mitigation Steps
- Apply the Patch – Microsoft released security updates on 2026‑04‑12. Download and install the appropriate KB for your OS from the Microsoft Update Catalog.
- Block SMB Traffic – Until patches are applied, block inbound TCP/445 at the perimeter firewall and on host‑based firewalls.
- Disable SMBv3 – As a temporary measure, set the registry key
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB2to0and restart the server. This will revert to SMBv1, which is not vulnerable but is insecure for other reasons; re‑enable SMBv3 after patching. - Enable Network Level Authentication (NLA) – While NLA does not stop this flaw, it reduces exposure by requiring authentication for most SMB sessions.
- Monitor for Indicators of Compromise – Look for unusual process creation from
svchost.exewith high privileges, and for the Event ID mentioned above.
Timeline
- 2026‑04‑02 – Vulnerability reported to Microsoft via the MSRC coordinated disclosure program.
- 2026‑04‑09 – Microsoft acknowledges the issue and begins internal testing.
- 2026‑04‑12 – Public advisory released; patches (KB5029384 for Windows 10/11, KB5029385 for Server 2022) made available.
- 2026‑04‑15 – CISA adds CVE‑2026‑46204 to its Known Exploited Vulnerabilities (KEV) catalog.
- 2026‑04‑30 – Major threat‑intel feeds report active exploitation in the wild targeting corporate VPN endpoints.
What to Do Now
- Verify patch status with
wmic qfe list brief /format:table | find "KB5029384"(or the Server KB). - If patches cannot be applied immediately, enforce firewall rules to drop inbound 445 traffic.
- Run the Microsoft Safety Scanner to detect any post‑exploitation artifacts.
- Update your incident response playbook to include this CVE’s IOCs.
References
- Microsoft Security Update Guide entry for CVE‑2026‑46204
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Official KB articles: KB5029384, KB5029385
- Detailed analysis by the Microsoft Threat Intelligence Center: MSTIC Blog Post
Take action now. The window for unpatched exploitation is already open. Apply the updates, block SMB, and monitor your environment.
Comments
Please log in or register to join the discussion