Cyber Resilience

CVE-2022-32230

HighPublic PoC

Published: 14 June 2022

Published
14 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.3116 96.9th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-32230 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Microsoft Windows 10. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Microsoft Windows SMBv3 contains a null pointer dereference vulnerability (CWE-476) in versions prior to the April 2022 security updates. The flaw is triggered when a malformed FileNormalizedNameInformation request is sent over a named pipe, resulting in a kernel-level Blue Screen of Death that forces a reboot of the affected system.

For most Windows installations the attack requires an authenticated SMB session, but Windows Domain Controllers allow unauthenticated named-pipe access once an SMB session is established. An attacker who can reach the target over the network can therefore cause repeated denial-of-service crashes without needing valid credentials on domain controllers.

Microsoft addressed the issue in the May 2022 cumulative updates (KB5013942 and related builds) and in the April 2022 patch set; administrators are advised to apply these updates to eliminate the null-dereference condition. Public exploit code, including a Metasploit auxiliary module, has been published, and the vulnerability carries a CVSS 7.5 score reflecting high availability impact over the network.

The EPSS score reached a peak of 0.3342 with a current value of 0.3116, indicating sustained but not explosive post-disclosure interest.

EU & UK References

Vulnerability details

Microsoft Windows SMBv3 suffers from a null pointer dereference in versions of Windows prior to the April, 2022 patch set. By sending a malformed FileNormalizedNameInformation SMBv3 request over a named pipe, an attacker can cause a Blue Screen of Death…

more

(BSOD) crash of the Windows kernel. For most systems, this attack requires authentication, except in the special case of Windows Domain Controllers, where unauthenticated users can always open named pipes as long as they can establish an SMB session. Typically, after the BSOD, the victim SMBv3 server will reboot.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10
1809, 20h2, 21h1, 21h2
microsoft
windows 11
all versions
microsoft
windows server 2019
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References