Microsoft Windows SMB Buffer Over-Read Vulnerability Allowing Information Disclosure

A buffer over-read vulnerability has been identified in the Windows Server 2008, 2012, 2016, and 2025 versions, as well as in Windows 10 and 11. This vulnerability allows an authorized attacker to disclose information over a network by exploiting the Server Message Block (SMB) protocol. The issue arises from the SMB client sending out-of-bounds read data to a remote SMB server, which could result in a crash of Windows Explorer and the potential reading of small portions of heap memory.

Impact

Successful exploitation of this vulnerability could lead to unauthorized information disclosure, with the attacker able to read portions of heap memory from the affected system.

Reproduction

To reproduce this vulnerability, an authorized attacker must direct a user to connect to a malicious SMB server. Once the user opens the SMB share folder, Windows Explorer will automatically register for directory change notifications. This interaction is crucial, as it triggers the out-of-bounds read buffer to be sent back to the attacker-controlled system. If the exploitation is successful, the user may experience a crash in Windows Explorer, while the attacker could access random bytes of user-mode heap memory from the affected machine.

Remediation

Users can apply the security updates provided by Microsoft to address this vulnerability. These security updates are available through the Microsoft Update Catalog and can be downloaded and installed manually. For automated update management, users can configure Windows Update to apply these security patches during the regular update cycle.