External risk intelligence

Windows SMB Server Use After Free Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-57089

This vulnerability affects the SMB protocol within Windows. While SMB is network-reachable, it is designed for internal file and printer sharing. Secure deployment practices strongly discourage exposing SMB directly to the public internet, meaning that while reachability exists in some environments, true public internet exposure is uncommon and generally considered a misconfiguration.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Windows SMB Server Network Transport Driver, allowing unauthorized network access for code execution. This issue affects various Windows operating systems and server versions. The primary concern is confirming its relevance and exposure within our environment.

  • Allows network attackers to run their code.
  • Critical flaw in Windows network communication.
  • Confirm relevance and exposure to our systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit a use-after-free vulnerability in the Windows SMB Server Network Transport Driver to execute code remotely over a network. This occurs when the driver incorrectly references memory that has already been freed, allowing an attacker to inject malicious code. The SMB protocol is network-accessible, meaning an attacker does not need prior access to the system or any credentials to trigger this vulnerability.

  • No authentication required.
  • Triggered by network packets.
  • Remote code execution risk.

Live Threat

Current exploitation, exposure, and threat context

A use-after-free vulnerability in the Windows SMB Server Network Transport Driver could allow an unauthorized attacker to execute code over a network. This could affect system integrity and allow for unauthorized code execution when the SMB service is accessible over the network and the vulnerability is triggered.

  • System integrity and code execution.
  • Via network access to SMB service.
  • Potential for unauthorized code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Windows SMB Server Network Transport Driver requires immediate attention from infrastructure and security teams. The first actionable step is to inventory all Windows servers and endpoints, determine their network exposure and business criticality, and identify the accountable system owner before planning remediation.

  • Infrastructure and security teams own remediation.
  • Verify SMB server network exposure and criticality.
  • Plan risk-based patching or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Windows SMB Server Network Transport Driver?

This component, known as srvnet.sys, is a core part of the Windows operating system that handles the Server Message Block (SMB) protocol. It enables essential network communication services, specifically allowing computers to share files, printers, and other resources across a network. It is present in a wide range of Windows 10, 11, and Server editions, serving as a fundamental mechanism for how Windows systems interact with each other in networked environments.

What does the use-after-free weakness in CVE-2026-57089 mean?

This vulnerability, classified as CWE-416, occurs when the SMB driver continues to use a pointer to a memory location after that memory has been freed. If the system incorrectly references this recycled memory space, an attacker can manipulate it to inject and execute their own code. Because this happens within the driver's handling process, it effectively breaks the system's security boundary and allows unauthorized commands to run.

How does an attacker trigger this SMB vulnerability?

An attacker triggers this flaw by sending specifically crafted network packets to the targeted Windows system. Because the vulnerability exists within the SMB protocol handling, the attacker does not need any valid user credentials or prior access to the system to initiate the attack. It is important to note that the vulnerability is triggered by the processing of these network requests, not by user-driven actions like opening a file or clicking a link.

Is my system at risk if it is not internet-facing?

According to Halo Surface Signal, this vulnerability is considered unlikely to be exposed to the public internet because SMB is primarily designed for internal file and printer sharing. While the flaw is theoretically reachable over a network, secure practice dictates that SMB should not be exposed to the public internet. If you have followed best practices by restricting SMB traffic to your internal network, the risk of external exploitation is significantly reduced.

What should I do to address CVE-2026-57089?

Your first step is to perform an inventory of your Windows servers and endpoints to identify which systems are running the affected versions. Evaluate these systems based on their network exposure and business importance to prioritize your efforts. Work with your system owners to plan for the necessary updates provided by the vendor, ensuring that your most critical assets are secured as quickly as possible.

References