Cyber Resilience

CVE-2020-0796

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 12 March 2020

Published
12 March 2020
Modified
29 October 2025
KEV Added
10 February 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9981 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2020-0796 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows 10 1903. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Deeper analysis

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. The flaw, tracked as CVE-2020-0796 and also known as the Windows SMBv3 Client/Server Remote Code Execution Vulnerability, affects the SMBv3 client and server components on Windows systems and carries a CVSS score of 10.0 with a buffer overflow weakness (CWE-119).

Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code with high impact on confidentiality, integrity, and availability, including across security boundaries. Public proof-of-concept code has been released demonstrating remote code execution and local privilege escalation against Windows 10 systems running SMB 3.1.1.

The listed references consist entirely of exploit artifacts and proof-of-concept implementations, including CoronaBlue-SMBGhost and multiple buffer-overflow variants, confirming that working attack code is publicly available. No official patch or mitigation details appear in the provided references.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

CWE(s)
KEV Date Added
10 February 2022

Related Threats

CVEs Like This One

CVE-2021-1675Same product: Microsoft Windows 10 1909both on KEV
CVE-2021-40444Same product: Microsoft Windows 10 1909both on KEV
CVE-2026-41091Same vendor: Microsoftboth on KEV
CVE-2025-24985Same vendor: Microsoftboth on KEV
CVE-2021-34473Same vendor: Microsoftboth on KEV
CVE-2025-60710Same vendor: Microsoftboth on KEV
CVE-2022-41040Same vendor: Microsoftboth on KEV
CVE-2025-24989Same vendor: Microsoftboth on KEV
CVE-2025-62221Same vendor: Microsoftboth on KEV
CVE-2021-31207Same vendor: Microsoftboth on KEV

Affected Assets

microsoft
windows 10 1903
all versions
microsoft
windows 10 1909
all versions
microsoft
windows server 1903
all versions
microsoft
windows server 1909
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Boundary protection devices can block unauthenticated SMBv3 traffic from external or untrusted networks, directly stopping remote exploitation of the buffer overflow before code execution occurs.

prevent

Least functionality allows disabling SMBv3 or restricting its use to only required internal interfaces, eliminating the attack surface for the unauthenticated RCE flaw.

prevent

Flaw remediation requires prompt application of vendor patches that close the SMBv3 buffer overflow, preventing successful remote code execution once the update is deployed.

References