CVE-2006-2374

MEDIUM

Microsoft Windows 2000 SP4, XP SP1-SP2, Server 2003 SP1 and earlier - Denial of Service via SMB Invalid Handle

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-2374. PoCs published by Ruben Santamarta.

AI-analyzed exploit summary This exploit targets a vulnerability in Mrxsmb.sys on Windows XP SP2 and Windows 2000 SP4, allowing local privilege escalation to ring0 by overwriting a driver call via a privileged IOCTL. It allocates executable memory, manipulates the driver's call instruction, and executes arbitrary ring0 shellcode.

Description

The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Ruben Santamarta · clocalwindows
https://www.exploit-db.com/exploits/1911

This exploit targets a vulnerability in Mrxsmb.sys on Windows XP SP2 and Windows 2000 SP4, allowing local privilege escalation to ring0 by overwriting a driver call via a privileged IOCTL. It allocates executable memory, manipulates the driver's call instruction, and executes arbitrary ring0 shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2, Windows 2000 SP4 (mrxsmb.sys)
No auth needed
Prerequisites: Disable ReadOnly Memory protection via registry key · Access to the 'shadow' device
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ruben Santamarta · cdoswindows
https://www.exploit-db.com/exploits/28001

This exploit demonstrates a local denial-of-service vulnerability in the Microsoft SMB driver (MRXSMB.SYS) by creating a thread that cannot be terminated due to a deadlock in NtClose. It leverages a specific IOCTL to trigger the condition.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows SMB driver (MRXSMB.SYS)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016288
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1827
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1841
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2030
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26830
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2327
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1979
Not Applicable third-party-advisory x_refsource_idefense
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=409
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1850
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-030
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2060
Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20635
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/26439
Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18357

Scores

CVSS v3 5.5
EPSS 0.0175
EPSS Percentile 74.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-667
Status published
Products (3)
microsoft/windows_2000
microsoft/windows_2003_server (5 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Jun 13, 2006
Tracked Since Feb 18, 2026