CVE-2020-0796 Overview
CVE-2020-0796, widely known as SMBGhost or CoronaBlue, is a remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The flaw resides in how SMBv3 handles compressed message packets, allowing unauthenticated attackers to send malformed requests to a target SMB server or trigger exploitation on an SMB client connecting to a malicious server. Successful exploitation grants attackers the ability to execute arbitrary code with kernel-level privileges. Microsoft published the advisory on March 12, 2020, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog. The vulnerability affects Windows 10 versions 1903 and 1909, as well as Windows Server versions 1903 and 1909.
Critical Impact
Unauthenticated, network-adjacent attackers can achieve wormable remote code execution at SYSTEM-level privileges, enabling rapid lateral movement comparable to EternalBlue and WannaCry.
Affected Products
- Microsoft Windows 10 Version 1903 (x86, x64, ARM64)
- Microsoft Windows 10 Version 1909 (x86, x64, ARM64)
- Microsoft Windows Server Version 1903 and Version 1909 (x64)
Discovery Timeline
- 2020-03-12 - CVE-2020-0796 published to NVD and Microsoft advisory released
- 2025-10-29 - Last updated in NVD database
Technical Details for CVE-2020-0796
Vulnerability Analysis
The vulnerability resides in the srv2.sys kernel driver, which implements SMBv3 server-side processing on affected Windows builds. SMBv3.1.1 introduced a compression feature negotiated during the initial protocol handshake. The decompression routine fails to validate the OriginalCompressedSegmentSize field within the SMB2 COMPRESSION_TRANSFORM_HEADER structure before allocating a destination buffer. An attacker supplies a crafted size value that triggers an integer overflow during buffer allocation. The driver then writes attacker-controlled data past the bounds of the undersized buffer, corrupting non-paged kernel pool memory. This memory corruption flaw is classified as [CWE-119], improper restriction of operations within the bounds of a memory buffer.
Root Cause
The integer overflow occurs in the Srv2DecompressData function inside srv2.sys. The function performs arithmetic on attacker-controlled 32-bit length fields without sufficient bounds checking. When the computed allocation size wraps around, the kernel allocates a smaller-than-expected buffer while subsequent copy operations use the original, large length value. The result is a controllable heap-based buffer overflow in the kernel non-paged pool.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction. An attacker sends a single specially crafted SMB2 compressed packet to TCP port 445 on a vulnerable server. The same primitive can be triggered against SMB clients by inducing them to connect to a malicious server. Public proof-of-concept code, including SMBGhost and the related SMBleed information disclosure (CVE-2020-1206), demonstrates pre-authentication remote code execution and local privilege escalation chains. The wormable nature of the bug makes it suitable for self-propagating malware. EPSS data places exploitation probability at 94.408% (99.978 percentile), reflecting widespread exploit availability.
No verified code examples are published in this article.
Refer to the Microsoft Security Response Center advisory and
the public Packet Storm proof-of-concept references for technical detail.
Detection Methods for CVE-2020-0796
Indicators of Compromise
- Inbound or outbound SMB2 traffic on TCP/445 containing the \\xfcSMB compression transform header magic with anomalously large OriginalCompressedSegmentSize values.
- Unexpected srv2.sys driver crashes, kernel pool corruption bug checks (BAD_POOL_HEADER, KERNEL_SECURITY_CHECK_FAILURE), or unexplained reboots on Windows 10/Server 1903 and 1909 hosts.
- New SYSTEM-level processes spawned shortly after inbound SMB connections from untrusted sources.
- Lateral SMB scanning activity originating from internal hosts that do not normally initiate SMB sessions.
Detection Strategies
- Deploy network intrusion detection signatures for SMB2 compression transform headers with malformed length fields, such as the Suricata and Snort rules published shortly after disclosure.
- Hunt endpoint telemetry for System process anomalies and unusual child processes spawned from kernel context immediately following SMB activity.
- Correlate authentication logs with SMB session events to flag pre-authentication exploitation attempts that do not produce a corresponding logon event.
Monitoring Recommendations
- Monitor TCP/445 traffic at network boundaries and between VLANs, blocking SMB at the perimeter where business need does not require it.
- Track patch status of Windows 10 1903/1909 and Windows Server 1903/1909 endpoints and alert on hosts missing the March 2020 cumulative update KB4551762.
- Alert on unexpected enabling of SMBv3 compression via the DisableCompression registry value.
How to Mitigate CVE-2020-0796
Immediate Actions Required
- Apply the Microsoft March 2020 security update (KB4551762) to all affected Windows 10 and Windows Server 1903/1909 systems.
- Block inbound TCP port 445 at the network perimeter and segment internal SMB traffic to limit blast radius.
- Audit and decommission unsupported Windows builds that cannot receive the patch.
- Prioritize patching for internet-exposed hosts and domain controllers, as the bug is listed in the CISA Known Exploited Vulnerabilities catalog.
Patch Information
Microsoft released a fix in cumulative update KB4551762 on March 12, 2020. The patch corrects the integer overflow in the Srv2DecompressData routine within srv2.sys. See the Microsoft Advisory for CVE-2020-0796 and the CISA Known Exploited Vulnerabilities entry for authoritative guidance.
Workarounds
- Disable SMBv3 compression on servers by setting the registry value HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression to 1, then restarting the Server service. This mitigation does not protect SMB clients.
- Block TCP/445 at host firewalls on workstations and servers that do not need to accept SMB connections.
- Restrict outbound SMB connections from end-user workstations to prevent client-side exploitation against malicious servers.
# Disable SMBv3 compression (server-side mitigation)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
-Name "DisableCompression" -Type DWORD -Value 1 -Force
# Block inbound SMB at the host firewall
New-NetFirewallRule -DisplayName "Block SMB Inbound 445" `
-Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
