Smb

CVE-2026-46185 is an out-of-bounds read vulnerability in the SMB client component within the symlink_data() function, potentially leading to information disclosure or denial of service.

CVE-2026-46155 describes an out-of-bounds read vulnerability within the smb2_compound_op() function of the SMB client, requiring a security update from Microsoft to address the issue.

CVE-2026-1933 describes a vulnerability in Samba's handling of NTFS-style reparse points on read-only shares, allowing authenticated users with filesystem write permissions to modify reparse point metadata and potentially alter SMB-visible file behavior.

The WantToCry ransomware exploits exposed SMB services via brute-force for initial access, then exfiltrates files for remote encryption, rewriting the encrypted files to the original locations, demanding ransom payments from $400 to $1,800.

Microsoft published information about CVE-2026-5773, a vulnerability related to the incorrect reuse of SMB connections.

CVE-2026-40410 is a use-after-free vulnerability in the Windows SMB Client that allows an authorized attacker to elevate privileges locally.

The rule identifies the creation of files resembling ransomware notes via SMB, potentially indicating a remote ransomware attack on Windows systems.

Detection of a suspicious file rename operation following an incoming SMB connection, potentially indicating a remote ransomware attack via the SMB protocol, targeting Windows hosts.

CVE-2025-37750 is a use-after-free vulnerability in the SMB client related to decryption with multichannel that could lead to code execution.

CVE-2026-31712 is a security vulnerability in ksmbd requiring a minimum ACE size check in smb_check_perm_dacl(), potentially leading to unauthorized access or privilege escalation.

CVE-2026-31718 is a use-after-free vulnerability in the ksmbd kernel module, specifically in the __ksmbd_close_fd() function, which can be triggered via the durable scavenger mechanism, potentially leading to arbitrary code execution.

CVE-2026-31478 is a vulnerability in Microsoft's ksmbd implementation related to incorrect calculation of maximum output buffer length, potentially leading to a denial-of-service or remote code execution.

This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.

CVE-2026-31611 is a vulnerability in ksmbd, requiring at least three sub-authorities before reading sub_auth[2], potentially leading to unauthorized access or code execution.

CVE-2026-31609 is a critical double-free vulnerability in the SMB client, specifically within the smbd_free_send_io() function after smbd_send_batch_flush(), potentially leading to arbitrary code execution.

CVE-2026-31432 is a critical out-of-bounds write vulnerability in ksmbd, specifically within the QUERY_INFO functionality when handling compound requests, potentially leading to code execution or denial of service.

CVE-2026-31613 is an out-of-bounds read vulnerability in the SMB client when parsing symlink error responses, requiring patching to prevent potential information disclosure or denial-of-service.

This rule identifies potentially suspicious processes, excluding those signed by Microsoft, making Server Message Block (SMB) network connections over port 445, which could indicate lateral movement attempts.

The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.

This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.