Critical Remote Code Execution Vulnerability in Microsoft Windows SMB Client (CVE-2026-20822)

Executive Summary

Microsoft Security Response Center (MSRC) has released security advisory addressing CVE-2026-20822, a critical remote code execution vulnerability in the Windows Server Message Block (SMB) client. This vulnerability carries a CVSS base score of 9.8 (Critical) and affects multiple versions of Windows operating systems including Windows 10 versions 1809 through 22H2, Windows 11 versions 21H2 and 22H2, and Windows Server 2019 and 2022.

The vulnerability exists in the way the Windows SMB client handles specially crafted malicious SMB server responses. An unauthenticated attacker could exploit this vulnerability by configuring a malicious SMB server and convincing a user or system to connect to it, or by intercepting legitimate SMB traffic and injecting malicious responses. Successful exploitation grants the attacker the same privileges as the SMB client process, typically SYSTEM level access on affected systems.

Technical Details

Vulnerability Mechanism

SMB is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The Windows SMB client implements this protocol to access shared resources on SMB servers. CVE-2026-20822 is a use-after-free vulnerability in the SMB client driver (srv.sys) that occurs during the processing of certain SMB version 3.1.1 dialect negotiation responses.

When an SMB client initiates a connection to an SMB server, it exchanges dialect negotiation packets to establish the SMB version and capabilities to use. The vulnerability is triggered when the SMB client processes a malformed negotiate response that contains:

1. A valid SMB3 header with the dialect revision set to 0x0311 (SMB 3.1.1)
2. A preauth integrity hash that passes initial validation
3. Malformed security mode flags that cause improper memory allocation
4. A subsequent session setup response that triggers a race condition in the memory management routine

The race condition results in a use-after-free scenario where the SMB client continues to reference a memory buffer that has been freed. An attacker can manipulate the timing and content of subsequent packets to control the freed memory contents, eventually leading to arbitrary code execution.

Attack Vectors

Network-based exploitation: The most straightforward attack vector involves an attacker setting up a rogue SMB server on a network segment. When a Windows system attempts to access a network share (either through user action or automated system processes like Windows Search indexing or backup operations), it will connect to the attacker's server. The attacker then sends the malicious negotiate response to trigger the vulnerability.

Man-in-the-Middle (MitM): On networks without SMB signing enforcement, an attacker positioned between a legitimate SMB client and server can intercept and modify SMB traffic. This is particularly relevant in public Wi-Fi networks or compromised internal networks.

Phishing-based exploitation: Attackers can embed malicious SMB links in documents, emails, or web pages. When users click these links (e.g., \attacker-server\share), the SMB client automatically initiates a connection.

Affected Versions

Client Systems:

• Windows 10 Enterprise 2015 LTSB (x86, x64)
• Windows 10 Enterprise 2016 LTSB (x86, x64)
• Windows 10 Enterprise 2019 LTSC (x86, x64)
• Windows 10 versions 1809 through 22H2 (all editions)
• Windows 11 version 21H2 (all editions)
• Windows 11 version 22H2 (all editions)

Server Systems:

• Windows Server 2019 (Standard, Datacenter, Essentials)
• Windows Server 2022 (Standard, Datacenter, Essentials)

Note: Windows Server 2016 is not affected. Systems with SMBv1 disabled are still vulnerable as the vulnerability exists in SMBv2 and SMBv3 implementations.

Mitigation and Remediation

Immediate Actions

1. Apply Security Updates: Microsoft has released patches for all affected versions. The updates are available through:

   • Windows Update (recommended for most users)
   • Microsoft Update Catalog
   • Windows Server Update Services (WSUS)

   Direct download links are available in the Microsoft Security Update Guide.

2. Block SMB Outbound Traffic: As a temporary mitigation until patches can be applied, configure firewalls to block outbound SMB traffic (TCP ports 445 and 139) to untrusted networks. This prevents systems from connecting to malicious SMB servers on the internet.

3. Enable SMB Signing: Enforce SMB signing on all Windows systems. This prevents MitM attacks, though it does not protect against direct connection to malicious servers.