CVE-2020-0796 Explained: SMBGhost, the Wormable Windows 10 Kernel Vulnerability
A CVSS 10.0 pre-authentication remote code execution flaw in the SMBv3 compression handler affecting Windows 10 1903 and 1909. No credentials. No user interaction. Kernel-level execution.
Founder & Cybersecurity Evangelist
CVE-2020-0796, widely known as SMBGhost (also CoronaBlue), is a critical pre-authentication remote code execution vulnerability in Windows Server Message Block version 3.1.1 (SMBv3). Disclosed in March 2020, it scores 10.0 on the CVSS v3 scale and affects Windows 10 versions 1903 and 1909 along with their server equivalents.
SMBGhost is classified as wormable. A successful exploit requires no credentials and no user interaction, and can propagate automatically across networks via port 445 — the same characteristic that made EternalBlue so destructive in 2017. The vulnerability exists in the SMBv3 compression decompression routine, and exploitation achieves code execution in the Windows kernel.
The Integer Overflow: How CVE-2020-0796 Works
SMBv3.1.1 introduced support for data compression to reduce bandwidth on SMB traffic. The vulnerability in CVE-2020-0796 resides in how the Windows kernel processes the OriginalCompressedSegmentSize field in SMB2_COMPRESSION_TRANSFORM_HEADER packets.
When decompressing incoming data, the affected code performs an integer addition of the OriginalCompressedSegmentSize value and an Offset value to calculate the size of a memory buffer to allocate. If both fields are attacker-controlled and sufficiently large, the addition overflows a 32-bit integer, producing a small result. The allocated buffer is far too small for the actual decompressed data.
When the decompression routine writes the full payload into the undersized buffer, the overflow corrupts adjacent kernel pool memory. By controlling pool layout and decompressed data, an attacker can overwrite kernel structures and achieve arbitrary code execution at SYSTEM privilege.
Affected versions: Windows 10 1903 (32-bit and 64-bit), Windows 10 1909, Windows Server 1903 (Server Core), Windows Server 1909 (Server Core). Windows 7, 8.1, and earlier versions do not implement SMBv3.1.1 compression and are not affected.
Identify target
Scan for systems with TCP port 445 accessible. SMBv3.1.1 compression support is confirmed by analyzing the SMB NEGOTIATE response, which advertises supported compression algorithms.
Craft malicious packet
Construct an SMB2_COMPRESSION_TRANSFORM_HEADER with crafted OriginalCompressedSegmentSize and Offset values designed to overflow a 32-bit integer when summed.
Send pre-auth
Transmit the packet to port 445. No SMB session establishment or authentication exchange is required — the vulnerability fires during the decompression of the initial incoming packet.
Corrupt kernel pool
The undersized buffer receives the full decompressed payload, overwriting adjacent kernel pool allocations and corrupting data structures used by the Windows kernel.
Execute kernel shellcode
With controlled pool state, execute arbitrary code in kernel context — achieving SYSTEM-level access and full control over the operating system including process injection, credential dumping, and driver loading.
SMBGhost vs. EternalBlue: Two Generations of Wormable SMB Risk
SMBGhost drew immediate comparisons to EternalBlue (CVE-2017-0144) because both are wormable, pre-authentication kernel RCEs in the SMB protocol. The comparison is apt but the risk profiles differ in important ways.
EternalBlue targeted SMBv1 — a protocol so old it predates Windows XP. SMBGhost targets SMBv3.1.1, a modern protocol introduced in Windows 10 and Server 2016. The vulnerable population for SMBGhost is current: organizations running modern Windows 10 endpoints, not neglected legacy systems.
However, SMBGhost's reach is narrowed by its version specificity — only 1903 and 1909 builds are vulnerable. Systems on 1809, 2004, or later are unaffected. This version range limitation prevented the mass exploitation scale seen with WannaCry and NotPetya, despite SMBGhost's equal or greater technical severity.
Public exploit code appeared within weeks of disclosure and was incorporated into commodity attack frameworks. SMBGhost has been observed in ransomware pre-positioning campaigns and post-compromise lateral movement toolkits. The wormable classification makes it permanently relevant in environments running unpatched Windows 10 1903/1909.
“CVE-2020-0796 is a critical vulnerability that could allow attackers to execute arbitrary code on vulnerable systems without any user interaction — and spread automatically from system to system.”
— Cisco Talos Security Intelligence Blog
Patching and Mitigating CVE-2020-0796
Microsoft released KB4551762 on March 12, 2020 to patch CVE-2020-0796. All affected systems should be updated immediately. Two workarounds are available for environments where patching is temporarily constrained.
Apply KB4551762 or later cumulative update
Install the March 12, 2020 cumulative update for Windows 10 1903 and 1909. Any subsequent cumulative update for these versions includes the fix. This is the only complete remediation.
Disable SMBv3 compression as a temporary workaround
Run in PowerShell as administrator: Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters DisableCompression -Type DWORD -Value 1 -Force. This blocks the server-side attack vector but does not protect SMB clients from a malicious server.
Block TCP port 445 at all network perimeters
SMB should never be reachable from untrusted networks. Firewall rules blocking inbound port 445 from external sources eliminate remote exploitation. This is baseline hygiene that should already be in place.
Segment internal SMB access
Wormable vulnerabilities spread laterally via SMB. Internal firewall rules, VLANs, and Windows Defender Firewall host policies should restrict which systems can reach port 445 on other internal systems to only those with a documented operational need.
Upgrade end-of-service Windows 10 builds
Windows 10 1903 and 1909 have reached end of service. While the SMBGhost patch is available, these builds receive no further security updates — representing a broader ongoing risk profile that requires full OS upgrade.
The bottom line
SMBGhost is a textbook wormable kernel vulnerability: unauthenticated, pre-interaction, kernel-level, and automatable. A single unpatched Windows 10 1903/1909 system reachable on port 445 represents a potential full-network compromise vector.
The vulnerability was never exploited at WannaCry scale, partly because the affected build range was narrower, and partly because public exploit reliability took longer to achieve than with EternalBlue. But working public exploit code exists, and SMBGhost has been observed in post-compromise lateral movement tooling.
The correct posture is patch immediately, block port 445 at the perimeter unconditionally, and segment internal SMB access to operationally necessary paths only. These three controls — applied together — eliminate the attack surface entirely.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.