Smb

CVE-2026-31478 is a vulnerability in Microsoft's ksmbd implementation related to incorrect calculation of maximum output buffer length, potentially leading to a denial-of-service or remote code execution.

This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.

CVE-2026-31611 is a vulnerability in ksmbd, requiring at least three sub-authorities before reading sub_auth[2], potentially leading to unauthorized access or code execution.

CVE-2026-31609 is a critical double-free vulnerability in the SMB client, specifically within the smbd_free_send_io() function after smbd_send_batch_flush(), potentially leading to arbitrary code execution.

CVE-2026-31432 is a critical out-of-bounds write vulnerability in ksmbd, specifically within the QUERY_INFO functionality when handling compound requests, potentially leading to code execution or denial of service.

CVE-2026-31613 is an out-of-bounds read vulnerability in the SMB client when parsing symlink error responses, requiring patching to prevent potential information disclosure or denial-of-service.

This rule identifies potentially suspicious processes, excluding those signed by Microsoft, making Server Message Block (SMB) network connections over port 445, which could indicate lateral movement attempts.

The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.

This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.