SMB vulnerabilities

Showing 1 - 50 of 128 CVEs

  1. CVE-2026-31608 Published Apr 24, 2026

    In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.

  2. CVE-2026-32202 Published Apr 14, 2026

    Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

  3. CVE-2026-40107 Published Apr 9, 2026

    SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.

  4. CVE-2026-3644 Published Mar 16, 2026

    The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

  5. CVE-2026-26128 Published Mar 10, 2026

    Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.

  6. CVE-2026-24294 Published Mar 10, 2026

    Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.

  7. CVE-2026-23228 Published Feb 18, 2026

    In the Linux kernel, the following vulnerability has been resolved: smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter. Replace free_transport() with ksmbd_tcp_disconnect().

  8. CVE-2026-21510 Published Feb 10, 2026

    Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

  9. CVE-2026-20934 Published Jan 13, 2026

    Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.

  10. CVE-2026-20926 Published Jan 13, 2026

    Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.

  11. CVE-2026-20921 Published Jan 13, 2026

    Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.

  12. CVE-2026-20919 Published Jan 13, 2026

    Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.

  13. CVE-2026-20848 Published Jan 13, 2026

    Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.

  14. CVE-2025-47967 Published Sep 16, 2025

    Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

  15. CVE-2025-55234 Published Sep 9, 2025

    SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. The SMB Server already supports mechanisms for hardening against relay attacks: SMB Server signing SMB Server Extended Protection for Authentication (EPA) Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks. If you have not already enabled SMB Server hardening measures, we advise customers to take the following actions to be protected from these relay attacks: Assess your environment by utilizing the audit capabilities that we are exposing in the September 2025 security updates. See Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing &amp; SMB Server EPA. Adopt appropriate SMB Server hardening measures.

  16. CVE-2025-32975 Published Jun 24, 2025

    Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.

  17. CVE-2025-48700 Published Jun 23, 2025

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

  18. CVE-2025-33073 Published Jun 10, 2025

    Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.

  19. CVE-2025-24054 Published Mar 11, 2025

    External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

  20. CVE-2024-56627 Published Dec 27, 2024

    In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf.

  21. CVE-2024-56626 Published Dec 27, 2024

    In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf.

  22. CVE-2024-43642 Published Nov 12, 2024

    Windows SMB Denial of Service Vulnerability

  23. CVE-2024-43532 Published Oct 8, 2024

    Remote Registry Service Elevation of Privilege Vulnerability

  24. CVE-2024-8260 Published Aug 30, 2024

    A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

  25. CVE-2024-42307 Published Aug 17, 2024

    In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path Dan Carpenter reported a Smack static checker warning: fs/smb/client/cifsfs.c:1981 init_cifs() error: we previously assumed 'serverclose_wq' could be null (see line 1895) The patch which introduced the serverclose workqueue used the wrong oredering in error paths in init_cifs() for freeing it on errors.

  26. CVE-2024-39468 Published Jun 25, 2024

    In the Linux kernel, the following vulnerability has been resolved: smb: client: fix deadlock in smb2_find_smb_tcon() Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock.

  27. CVE-2024-26245 Published Apr 9, 2024

    Windows SMB Elevation of Privilege Vulnerability

  28. CVE-2024-27199 Published Mar 4, 2024

    In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

  29. CVE-2024-21410 Published Feb 13, 2024

    Microsoft Exchange Server Elevation of Privilege Vulnerability

  30. CVE-2023-6606 Published Dec 8, 2023

    An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

  31. CVE-2023-32254 Published Jul 10, 2023

    A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

  32. CVE-2023-23397 Published Mar 14, 2023

    Microsoft Outlook Elevation of Privilege Vulnerability

  33. CVE-2022-45141 Published Mar 6, 2023

    Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

  34. CVE-2022-38023 Published Nov 9, 2022

    Netlogon RPC Elevation of Privilege Vulnerability

  35. CVE-2022-37967 Published Nov 9, 2022

    Windows Kerberos Elevation of Privilege Vulnerability

  36. CVE-2022-37966 Published Nov 9, 2022

    Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

  37. CVE-2022-37958 Published Sep 13, 2022

    SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

  38. CVE-2022-35804 Published Aug 9, 2022

    SMB Client and Server Remote Code Execution Vulnerability

  39. CVE-2022-32230 Published Jun 14, 2022

    Microsoft Windows SMBv3 suffers from a null pointer dereference in versions of Windows prior to the April, 2022 patch set. By sending a malformed FileNormalizedNameInformation SMBv3 request over a named pipe, an attacker can cause a Blue Screen of Death (BSOD) crash of the Windows kernel. For most systems, this attack requires authentication, except in the special case of Windows Domain Controllers, where unauthenticated users can always open named pipes as long as they can establish an SMB session. Typically, after the BSOD, the victim SMBv3 server will reboot.

  40. CVE-2022-26809 Published Apr 15, 2022

    Remote Procedure Call Runtime Remote Code Execution Vulnerability

  41. CVE-2022-24500 Published Apr 15, 2022

    Windows SMB Remote Code Execution Vulnerability

  42. CVE-2022-24508 Published Mar 9, 2022

    Win32 File Enumeration Remote Code Execution Vulnerability

  43. CVE-2021-44142 Published Feb 21, 2022

    The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

  44. CVE-2021-36958 Published Aug 12, 2021

    <p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>

  45. CVE-2021-36934 Published Jul 22, 2021

    <p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>

  46. CVE-2021-34527 Published Jul 2, 2021

    <p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>

  47. CVE-2020-24587 Published May 11, 2021

    The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

  48. CVE-2020-24586 Published May 11, 2021

    The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.

  49. CVE-2020-26147 Published May 11, 2021

    An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.

  50. CVE-2020-26146 Published May 11, 2021

    An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.