CVE-2006-2373

Microsoft Windows SMB Driver Ioctl Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-2373. PoCs published by Ruben Santamarta.

AI-analyzed exploit summary This exploit demonstrates a deadlock vulnerability in MRXSMB.SYS via the NtClose function by creating a thread and manipulating a device handle through a specific IOCTL (0x141047). The exploit causes a denial-of-service condition by triggering a deadlock in the kernel driver.

Description

The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Ruben Santamarta · clocalwindows
https://www.exploit-db.com/exploits/1910

This exploit demonstrates a deadlock vulnerability in MRXSMB.SYS via the NtClose function by creating a thread and manipulating a device handle through a specific IOCTL (0x141047). The exploit causes a denial-of-service condition by triggering a deadlock in the kernel driver.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (MRXSMB.SYS driver)
No auth needed
Prerequisites: Access to a vulnerable Windows system with the MRXSMB.SYS driver loaded
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/1911

This exploit targets a vulnerability in Mrxsmb.sys on Windows XP SP2 and Windows 2000 SP4, allowing local privilege escalation to ring0 by overwriting a driver call. It uses a privileged IOCTL to manipulate memory and execute arbitrary ring0 shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2, Windows 2000 SP4 (mrxsmb.sys)
No auth needed
Prerequisites: Disable ReadOnly Memory protection via registry key · Access to the shadow device
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016288
Third Party Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=408
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2327
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/26440
Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18356
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-030
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20635
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26828

Scores

EPSS 0.2180
EPSS Percentile 95.9%

Details

CWE
CWE-264
Status published
Products (3)
microsoft/windows_2000
microsoft/windows_server_2003 (3 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Jun 13, 2006
Tracked Since Feb 18, 2026