Description
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network.
Published: 2026-01-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via SMB Server
Action: Apply Patch
AI Analysis

Impact

A race condition in the Windows SMB Server allows an authorized attacker to trigger a denial of service over the network. The flaw arises from improper synchronization when multiple requests use a shared resource, causing the SMB service to hang or crash. The result is a loss of file sharing and printer services for all clients that rely on the affected host.

Affected Systems

Microsoft Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 22H3), Microsoft Windows Server 2008 R2 SP1 (including Server Core), Windows Server 2008 Service Pack 2 (including Server Core), Microsoft Windows Server 2012 and 2012 R2 (including Server Core), Microsoft Windows Server 2016 and 2019 (including Server Core), Microsoft Windows Server 2022 (including 23H2 Edition and Server Core), and Microsoft Windows Server 2025 (including Server Core).

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity; however, the EPSS score of less than 1% suggests the likelihood of exploitation is very low. The vulnerability appears in the CISA KEV catalog as not listed, further supporting a lower operational risk. Based on the description, it is inferred that the attacker must have authorized access to the SMB service on the target machine, typically via remote privileged or legitimate credentials, and that the attack can be initiated over the network by sending a specially crafted SMB request that exploits the race condition.

Generated by OpenCVE AI on April 16, 2026 at 08:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Microsoft security update for CVE‑2026‑20927 from the Microsoft Security Update Guide.
  • Ensure all affected Windows 10/11 and Windows Server versions are updated to the latest cumulative update that includes the resolution.
  • Restrict SMB access by configuring firewall rules or disabling SMBv1 on systems where it is no longer required.

Generated by OpenCVE AI on April 16, 2026 at 08:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2008
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2008
Microsoft windows Server 2022 23h2

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network.
Title Windows SMB Server Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2008 R2
Microsoft windows Server 2008 Sp2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-362
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2008 R2
Microsoft windows Server 2008 Sp2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2008 Sp2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:52.198Z

Reserved: 2025-12-04T20:04:16.336Z

Link: CVE-2026-20927

cve-icon Vulnrichment

Updated: 2026-01-13T19:33:25.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:19.650

Modified: 2026-01-16T14:57:23.750

Link: CVE-2026-20927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:30:29Z

Weaknesses