A newly disclosed CVE‑2026‑46595 lets attackers execute arbitrary code via crafted SMB packets. All supported Windows 10 and 11 versions are vulnerable. Microsoft rates it 9.8 CVSS. Patches are live; apply immediately and enforce network segmentation.
Immediate Impact
Microsoft has released an emergency patch for CVE‑2026‑46595. The flaw allows unauthenticated remote code execution over SMBv3. An attacker can gain SYSTEM privileges on any machine that accepts SMB traffic on port 445. The Microsoft Security Response Center (MSRC) rates the vulnerability 9.8 (Critical) on the CVSS v3.1 scale.
Affected products include:
- Windows 10, version 22H2 and later
- Windows 11, version 22H2 and later
- Windows Server 2019, 2022, and Azure Stack HCI
All builds receiving monthly cumulative updates are impacted. No version is exempt.
Technical Details
CVE‑2026‑46595 resides in the SMB 3.1.1 driver (\SystemRoot\System32\drivers\srv2.sys). The driver fails to correctly validate the length field of a Compressed Data Block (CDB) inside an SMB2/SMB3 packet. By sending a packet with a crafted length that exceeds the allocated buffer, an attacker triggers a stack‑based buffer overflow. The overflow overwrites the return address, allowing execution of attacker‑controlled shellcode.
Key characteristics:
- Attack vector: Network‑only, no authentication required.
- Complexity: Low – a single packet suffices.
- Privileges required: None; the exploit runs with SYSTEM rights after successful overflow.
- Impact: Full system compromise, lateral movement, data exfiltration.
Proof‑of‑concept code was posted on GitHub by security researcher ZeroDayLab (see repo). The PoC demonstrates a reliable exploit against a default Windows 11 23H2 installation when SMB is exposed to the internet.
Mitigation Steps
- Apply the out‑of‑band update released on 2026‑05‑24. The patch is available via Windows Update, WSUS, and Microsoft Endpoint Configuration Manager. The KB article is KB5029387.
- Block inbound SMB traffic at the perimeter firewall. Deny TCP/445 from untrusted networks. Use a zero‑trust network policy where possible.
- Enable SMB signing on all domain‑joined machines. This adds a cryptographic check that mitigates tampering, though it does not stop the overflow itself.
- Audit for open SMB ports using tools like
nmapor Microsoft Defender for Endpoint. Identify any legacy devices that cannot be patched and isolate them. - Monitor for Indicators of Compromise (IoCs). Look for unusual
svchost.exeprocesses spawning fromsrv2.sys, spikes in SMB traffic, and failed authentication attempts on port 445. Microsoft provides a detection rule for Azure Sentinel: CVE‑2026‑46595 detection.
Timeline
- 2026‑05‑20: Vulnerability reported privately to MSRC.
- 2026‑05‑22: MSRC assigns CVE‑2026‑46595, begins internal analysis.
- 2026‑05‑23: Exploit code released publicly.
- 2026‑05‑24: Emergency out‑of‑band patch (KB5029387) published.
- 2026‑05‑25: CISA adds the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
What to Do Now
- Verify that your machines have installed KB5029387. Run
wmic qfe get HotFixID | find "KB5029387"on each host. - If you manage a large fleet, push the update via your configuration management tool within the next 24 hours.
- Review firewall rules. Ensure port 445 is blocked from the internet.
- Run the Microsoft Defender scan with the latest definitions to catch any post‑exploit artifacts.
Failure to act quickly could result in widespread compromise, especially for organizations that expose file shares to external partners. The window for exploitation is already open; the only defense is prompt patching and network isolation.
Stay alert. Apply the patch. Harden your network.
Comments
Please log in or register to join the discussion