CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2020-0796 Explained: SMBGhost, the Wormable Windows 10 Kernel Vulnerability

A CVSS 10.0 pre-authentication remote code execution flaw in the SMBv3 compression handler affecting Windows 10 1903 and 1909. No credentials. No user interaction. Kernel-level execution.

10.0
CVSS Score
None
Auth Required
Kernel
Execution Level
Wormable
Spread Capability

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2020-0796, widely known as SMBGhost (also CoronaBlue), is a critical pre-authentication remote code execution vulnerability in Windows Server Message Block version 3.1.1 (SMBv3). Disclosed in March 2020, it scores 10.0 on the CVSS v3 scale and affects Windows 10 versions 1903 and 1909 along with their server equivalents.

SMBGhost is classified as wormable. A successful exploit requires no credentials and no user interaction, and can propagate automatically across networks via port 445, the same characteristic that made EternalBlue so destructive in 2017. The vulnerability exists in the SMBv3 compression decompression routine, and exploitation achieves code execution in the Windows kernel.

The Integer Overflow: How CVE-2020-0796 Works

SMBv3.1.1 introduced support for data compression to reduce bandwidth on SMB traffic. The vulnerability in CVE-2020-0796 resides in how the Windows kernel processes the OriginalCompressedSegmentSize field in SMB2_COMPRESSION_TRANSFORM_HEADER packets.

When decompressing incoming data, the affected code performs an integer addition of the OriginalCompressedSegmentSize value and an Offset value to calculate the size of a memory buffer to allocate. If both fields are attacker-controlled and sufficiently large, the addition overflows a 32-bit integer, producing a small result. The allocated buffer is far too small for the actual decompressed data.

When the decompression routine writes the full payload into the undersized buffer, the overflow corrupts adjacent kernel pool memory. By controlling pool layout and decompressed data, an attacker can overwrite kernel structures and achieve arbitrary code execution at SYSTEM privilege.

Affected versions: Windows 10 1903 (32-bit and 64-bit), Windows 10 1909, Windows Server 1903 (Server Core), Windows Server 1909 (Server Core). Windows 7, 8.1, and earlier versions do not implement SMBv3.1.1 compression and are not affected.

1

Identify target

Scan for systems with TCP port 445 accessible. SMBv3.1.1 compression support is confirmed by analyzing the SMB NEGOTIATE response, which advertises supported compression algorithms.

2

Craft malicious packet

Construct an SMB2_COMPRESSION_TRANSFORM_HEADER with crafted OriginalCompressedSegmentSize and Offset values designed to overflow a 32-bit integer when summed.

3

Send pre-auth

Transmit the packet to port 445. No SMB session establishment or authentication exchange is required, the vulnerability fires during the decompression of the initial incoming packet.

4

Corrupt kernel pool

The undersized buffer receives the full decompressed payload, overwriting adjacent kernel pool allocations and corrupting data structures used by the Windows kernel.

5

Execute kernel shellcode

With controlled pool state, execute arbitrary code in kernel context, achieving SYSTEM-level access and full control over the operating system including process injection, credential dumping, and driver loading.

SMBGhost vs. EternalBlue: Two Generations of Wormable SMB Risk

SMBGhost drew immediate comparisons to EternalBlue (CVE-2017-0144) because both are wormable, pre-authentication kernel RCEs in the SMB protocol. The comparison is apt but the risk profiles differ in important ways.

EternalBlue targeted SMBv1, a protocol so old it predates Windows XP. SMBGhost targets SMBv3.1.1, a modern protocol introduced in Windows 10 and Server 2016. The vulnerable population for SMBGhost is current: organizations running modern Windows 10 endpoints, not neglected legacy systems.

However, SMBGhost's reach is narrowed by its version specificity, only 1903 and 1909 builds are vulnerable. Systems on 1809, 2004, or later are unaffected. This version range limitation prevented the mass exploitation scale seen with WannaCry and NotPetya, despite SMBGhost's equal or greater technical severity.

Public exploit code appeared within weeks of disclosure and was incorporated into commodity attack frameworks. SMBGhost has been observed in ransomware pre-positioning campaigns and post-compromise lateral movement toolkits. The wormable classification makes it permanently relevant in environments running unpatched Windows 10 1903/1909.

CVE-2020-0796 is a critical vulnerability that could allow attackers to execute arbitrary code on vulnerable systems without any user interaction, and spread automatically from system to system.

Cisco Talos Security Intelligence Blog
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating CVE-2020-0796

Microsoft released KB4551762 on March 12, 2020 to patch CVE-2020-0796. All affected systems should be updated immediately. Two workarounds are available for environments where patching is temporarily constrained.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

SMBGhost is a textbook wormable kernel vulnerability: unauthenticated, pre-interaction, kernel-level, and automatable. A single unpatched Windows 10 1903/1909 system reachable on port 445 represents a potential full-network compromise vector.

The vulnerability was never exploited at WannaCry scale, partly because the affected build range was narrower, and partly because public exploit reliability took longer to achieve than with EternalBlue. But working public exploit code exists, and SMBGhost has been observed in post-compromise lateral movement tooling.

The correct posture is patch immediately, block port 445 at the perimeter unconditionally, and segment internal SMB access to operationally necessary paths only. These three controls, applied together, eliminate the attack surface entirely.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is SMBGhost (CVE-2020-0796)?

SMBGhost is a CVSS 10.0 wormable pre-authentication RCE in Windows 10 versions 1903 and 1909. An integer overflow in the SMBv3.1.1 compression decompression code allows an unauthenticated attacker to corrupt kernel pool memory via port 445 and execute code at the SYSTEM level. No credentials or user interaction required.

Which Windows versions are affected by SMBGhost?

Windows 10 1903 (32-bit and 64-bit), Windows 10 1909, Windows Server 1903 (Server Core), and Windows Server 1909 (Server Core). Earlier Windows versions including Windows 7 and Server 2008 do not implement SMBv3.1.1 compression and are not affected.

How do I fix CVE-2020-0796?

Apply Microsoft update KB4551762 or any later cumulative update for affected Windows 10 versions. As a temporary workaround, disable SMBv3 compression: Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters DisableCompression -Type DWORD -Value 1 -Force. Also block TCP port 445 at network perimeters.

Which Windows versions are vulnerable to SMBGhost?

Only Windows 10 version 1903 (32-bit and 64-bit), Windows 10 version 1909, Windows Server 1903 (Server Core), and Windows Server 1909 (Server Core) are affected. Windows 7, Windows 8.1, Windows 10 versions before 1903, Windows 10 2004 and later, Windows Server 2016, 2019, and later are NOT affected, as they do not implement SMBv3.1.1 compression. This narrow version range is why SMBGhost did not trigger mass exploitation at WannaCry scale despite equal or greater technical severity.

How does SMBGhost compare to EternalBlue (CVE-2017-0144)?

Both SMBGhost and EternalBlue are wormable pre-authentication kernel RCEs in the SMB protocol, but they differ in important ways. EternalBlue targeted SMBv1, an ancient protocol still enabled on legacy Windows. SMBGhost targets SMBv3.1.1, a modern protocol in Windows 10 and Server 2019, so the vulnerable population is current production systems rather than legacy ones. However, SMBGhost's version specificity (only 1903 and 1909) limited its blast radius. Working public exploits took weeks to achieve reliable reliability with SMBGhost versus days for EternalBlue, further limiting mass exploitation scale.

How do I verify my Windows systems have the SMBGhost patch?

Run on each system: Get-HotFix -Id KB4551762 or check for any later cumulative update date via winver (OS build 18362.720 or later for 1903, 18363.720 or later for 1909). In PowerShell: (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').BuildLabEx. Systems on Windows 10 2004 or later are unaffected. Verify SMBv3.1.1 compression is disabled as defense-in-depth: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Name DisableCompression.

Sources & references

  1. NVD
  2. Microsoft MSRC
  3. Cisco Talos

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.