CVE-2022-26937

CRITICAL

Windows Network File System < - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-26937. PoCs published by omair2084, Malwareman007, corelight.

AI-analyzed exploit summary This PoC demonstrates a stack-based buffer overflow in the Windows Network File System (NFS) driver (nfssvr.sys) leading to a KERNEL_SECURITY_CHECK_FAILURE (0x139) bugcheck. The crash occurs due to a stack cookie check failure, indicating a potential for arbitrary code execution.

Description

Windows Network File System Remote Code Execution Vulnerability

Exploits (3)

nomisec WORKING POC 88 stars
by omair2084 · poc
https://github.com/omair2084/CVE-2022-26937

This PoC demonstrates a stack-based buffer overflow in the Windows Network File System (NFS) driver (nfssvr.sys) leading to a KERNEL_SECURITY_CHECK_FAILURE (0x139) bugcheck. The crash occurs due to a stack cookie check failure, indicating a potential for arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Windows NFS Server (nfssvr.sys) on Windows 8.1 and likely other versions
No auth needed
Prerequisites: Network access to a vulnerable Windows NFS server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 14 stars
by Malwareman007 · poc
https://github.com/Malwareman007/CVE-2022-26937

This PoC demonstrates a stack-based buffer overflow in the Windows Network File System (NFS) driver (nfssvr.sys), leading to a KERNEL_SECURITY_CHECK_FAILURE (0x139) bugcheck. The crash is triggered by corrupting the stack, as evidenced by the repeated '0x41414141' values in the stack trace.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Windows NFS Server (nfssvr.sys) on Windows 8.1 and likely other versions
No auth needed
Prerequisites: Network access to a vulnerable Windows NFS server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 7 stars
by corelight · poc
https://github.com/corelight/CVE-2022-26937

This repository provides a Zeek script to detect CVE-2022-26937, a vulnerability in Microsoft's NFS implementation. It includes a PCAP file and scripts to analyze network traffic for potential exploit attempts.

Classification
Scanner 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Microsoft NFS implementation
No auth needed
Prerequisites: Network traffic capture (PCAP)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.7128
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (8)
microsoft/windows_server 20h2
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2008 sp2 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016
microsoft/windows_server_2019
microsoft/windows_server_2022
Published May 10, 2022
Tracked Since Feb 18, 2026