CVE-2020-0796
CVE-2020-0796 is a critical-severity vulnerability in Microsoft Windows 10 1903 with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-10). The underlying weakness is classified as CWE-119.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-10)
- EU (EUVD) id: EUVD-2020-2283
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-10)
- Weakness: CWE-119
- Affected product: Microsoft Windows 10 1903
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| CVE | CVE-2020-0796 |
| CVSS v3 | 10.0 (Critical) |
| CVSS v2 | 7.5 |
| EPSS | 0.9981 |
| KEV | Yes (since 2022-02-10) |
| CWE | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Affected | Windows 10 1903, Windows 10 1909, Windows Server 1903, Windows Server 1909 |
Summary
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An unauthenticated attacker could exploit this flaw by sending a specially crafted request to a vulnerable SMBv3 server, or by convincing a user to connect to a malicious SMBv3 server.
Background
SMBv3.1.1 is the protocol version affected by this vulnerability. The issue relates to how this protocol implementation processes certain incoming requests, leading to a buffer overflow condition that can be exploited for remote code execution.
Root Cause
The vulnerability is classified as CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. The SMBv3.1.1 implementation fails to properly validate the size of data before copying it into a buffer, leading to a buffer overflow condition. When a specially crafted request is processed, data can be written beyond the allocated buffer boundary, potentially allowing an attacker to execute arbitrary code.
Impact
- CVSS 3.1 Score: 10.0 (Critical) — Network exploitable with low attack complexity, no privileges required, no user interaction, and changed scope.
- Confidentiality Impact: HIGH — An attacker can gain access to all data on the system.
- Integrity Impact: HIGH — An attacker can modify or delete any data on the system.
- Availability Impact: HIGH — An attacker can render the system completely unavailable.
- Scope: CHANGED — The vulnerable component impacts resources beyond its security scope.
Exploitation Walkthrough
Defensive Context Only. This section is for understanding attack patterns to improve detection and prevention.
Ethics caveat: Attempting to exploit this vulnerability on systems you do not own or have explicit permission to test is illegal and unethical.
- Reconnaissance: The attacker identifies target systems running Windows 10 version 1903/1909 or Windows Server 1903/1909 with SMBv3.1.1 enabled.
- Initial Access: The attacker sends a specially crafted SMBv3.1.1 request to a vulnerable server. Alternatively, the attacker hosts a malicious SMB server and tricks a victim client into connecting.
- Buffer Overflow: The vulnerable SMBv3.1.1 implementation copies payload data without proper bounds checking, causing a buffer overflow.
- Code Execution: By controlling the overflowed buffer content, the attacker may achieve arbitrary code execution in the context of the SMB service.
Affected and Patched Versions
-
Affected:
- Windows 10 version 1903 (x86, x64, ARM64)
- Windows 10 version 1909 (x86, x64, ARM64)
- Windows Server version 1903 (x64)
- Windows Server version 1909 (x64)
-
Patched Versions: Specific patch information (KB numbers) is not available in the source data. Administrators should consult the Microsoft Security Response Center advisory and apply all available security updates for the affected versions.
Remediation
- Apply Updates: Install the latest security updates from Microsoft for affected Windows 10 and Windows Server versions.
- Block SMB at Network Perimeter: Block TCP port 445 at the enterprise perimeter firewall to prevent external exploitation. Note: internal lateral movement may still be possible.
- Network Segmentation: Segment networks to limit SMB exposure to only necessary systems.
- Refer to Microsoft Advisory: Consult the Microsoft Security Response Center advisory for any additional workaround instructions specific to your environment.
Detection
- Monitor for anomalous SMB traffic, especially unexpected or malformed requests.
- Look for unexpected SMB connections to or from external sources.
- Monitor endpoint behavior for signs of post-exploitation activity.
- Use network intrusion detection systems (IDS) to identify potential exploitation attempts.
Assessment
- EPSS: 0.9981 (99.81% probability of exploitation in the wild) — This indicates an extremely high likelihood of active exploitation.
- KEV: Listed in CISA's Known Exploited Vulnerabilities Catalog since 2022-02-10. Also confirmed as exploited in the EU since 2022-02-10.
- Lessons: New network protocol features must undergo rigorous security testing, including fuzz testing and bounds checking, especially when operating in privileged contexts. The high EPSS score and KEV status confirm that this vulnerability is a critical priority for patching.
References
Frequently asked questions
- What is CVE-2020-0796?
- A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
- How severe is CVE-2020-0796?
- CVE-2020-0796 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-0796 being actively exploited?
- Yes. CVE-2020-0796 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-0796?
- CVE-2020-0796 primarily affects Microsoft Windows 10 1903. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-0796?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-0796 have an EU (EUVD) identifier?
- Yes. CVE-2020-0796 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-2283. It is also flagged as exploited in the EUVD (since 2022-02-10).
- When was CVE-2020-0796 published?
- CVE-2020-0796 was published on 2020-03-12 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html
- http://packetstormsecurity.com/files/157901/Microsoft-Windows-SMBGhost-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158054/SMBleed-SMBGhost-Pre-Authentication-Remote-Code-Execution-Proof-Of-Concept.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0796
Affected products (8)
- cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_server_1903:-:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_1909:-:*:*:*:*:*:x64:*
More vulnerabilities in Microsoft Windows 10 1903
- CVE-2020-1020 — High (CVSS 8.8): A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library…
- CVE-2019-0903 — High (CVSS 8.8): A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles…
- CVE-2020-0601 — High (CVSS 8.1): A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)…
- CVE-2020-17087 — High (CVSS 7.8): Windows Kernel Local Elevation of Privilege Vulnerability
- CVE-2020-1464 — High (CVSS 7.8): A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully…
- CVE-2020-0986 — High (CVSS 7.8): An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka…
All CVEs affecting Microsoft Windows 10 1903 →
Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities
- CVE-2026-2778 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in…
- CVE-2026-2776 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability…
- CVE-2025-1866 — Critical (CVSS 10.0): Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows…
- CVE-2022-27625 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2022-27624 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2020-11896 — Critical (CVSS 10.0): The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
Threat intelligence
Threat-intel indicators referencing this CVE:
- 64.89.161.8 (ipv4-addr)
- 103.190.133.68 (ipv4-addr)
- 92.118.39.120 (ipv4-addr)
- 91.92.240.219 (ipv4-addr)
- 80.94.92.102 (ipv4-addr)
- 213.177.179.12 (ipv4-addr)
- 172.94.9.136 (ipv4-addr)
- 92.118.39.145 (ipv4-addr)