CVE-2025-29956 · Windows SMB Information Disclosure Vulnerability

Buffer over-read in Windows Kernel allows an authorized attacker to disclose information over a network.

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? The attack requires to trick a user to open an SMB share folder that is hosted on the attacker-controlled system. Windows Explorer has to automatically register for directory change notification after opening the share folder.

Buffer over-read in Windows SMB allows an authorized attacker to disclose information over a network.

What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.

How could an attacker exploit the vulnerability? To successfully exploit the vulnerability, an attacker would need to direct a user to connect to the malicious SMB server to retrieve some data as part of an OS API call.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? For this vulnerability, it is out of attacker's control to trigger the OOB read buffer to be sent back to the attacker-controlled system.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), no loss of integrity (I:N), and some loss of availability (A:L). What does that mean for this vulnerability? There is a high likelihood that the Out-Of-Bounds (OOB) read data results in a crash in Windows Explorer. Every time the SMB client sends the OOB read data to the remote SMB server and a crash does not occur, it would contain several bytes of random user mode heap memory.