CVE-2023-6606: Out-of-Bounds Read in smbcalcsize—Immediate Audit & Patch Guidance for Windows Kernel

The Microsoft Security Response Center (MSRC) has disclosed CVE-2023-6606, an out-of-bounds read vulnerability in the smbcalcsize function within the Windows kernel’s SMB implementation. This article provides practitioners with actionable technical guidance to assess, detect, and mitigate this threat.
THREAT BRIEF
CVE-2023-6606 is an information disclosure bug in the Windows kernel, specifically affecting the SMB protocol’s handling of certain packet structures. The vulnerability resides in smbcalcsize, a function responsible for calculating SMB message sizes. Improper bounds checking allows an attacker to trigger out-of-bounds reads, potentially leaking kernel memory to user space or remote attackers, depending on context.
Microsoft’s advisory confirms this flaw is exploitable via malformed SMB packets. While not directly leading to privilege escalation or remote code execution, information disclosure can facilitate subsequent attacks—such as bypassing exploit mitigations or stealing sensitive data.
SCOPE & IMPACT
- Affected Systems: Windows Server and Windows client operating systems with SMB enabled. Exact impacted builds are detailed in the official advisory.
- Versions: The vulnerability affects supported Windows releases prior to the June 2024 patch cycle. Specifically, Windows 10, Windows 11, and Windows Server (2019, 2022) are listed. Older, unsupported versions may also be exposed if they include the vulnerable SMB stack.
- Configurations: Systems with SMBv2/v3 enabled are at risk. Both domain-joined and standalone hosts may be vulnerable.
- Users: Any user able to send SMB traffic to the affected machine (local or remote) could exploit this bug.
HOW IT WORKS
The smbcalcsize function is used by the SMB kernel driver to calculate buffer lengths for SMB packets. Due to insufficient bounds validation, the function may read past the end of a packet buffer provided by an attacker, leaking data from adjacent kernel memory. This type of flaw is commonly used as a precursor to more impactful kernel exploits, as it allows attackers to infer memory layout or exfiltrate privileged information.
Technically, the bug is triggered by sending a specially crafted SMB request to a vulnerable system. The kernel’s SMB handler parses the packet, invokes smbcalcsize, and inadvertently reads memory outside the allocated bounds. The leaked memory can be returned in SMB responses or otherwise exposed to the attacker.
WHAT CHANGED IN THIS RELEASE / ADVISORY
- Exact CVE: CVE-2023-6606
- Patched Builds: Microsoft released fixes for Windows 10 (all supported builds), Windows 11, and Windows Server 2019/2022 in the June 2024 patch cycle.
- Behavioural Change: The patched
smbcalcsizefunction now includes strict bounds checks before reading packet buffers, preventing out-of-bounds access. - Prior State: Pre-patch, the function could read past the intended buffer, exposing kernel data.
DETECTION
Audit your environment for exposure by checking:
- Current Windows build and patch status
- SMB protocol status
Use the following PowerShell script to enumerate unpatched, SMB-enabled Windows systems. This script checks for the June 2024 patch and reports SMB configuration.
try {
$patch = Get-HotFix | Where-Object {$_.Description -like '*Security Update*' -and $_.InstalledOn -ge (Get-Date '2024-06-11')}
$smbEnabled = (Get-WindowsOptionalFeature -Online | Where-Object {$_.FeatureName -like 'SMB*' -and $_.State -eq 'Enabled'})
if ($patch -and $smbEnabled) {
Write-Output "System is patched and SMB is enabled."
} elseif (-not $patch -and $smbEnabled) {
Write-Output "SMB is enabled and system is NOT patched. Vulnerable to CVE-2023-6606."
} elseif (-not $smbEnabled) {
Write-Output "SMB is disabled. Not exposed to CVE-2023-6606."
} else {
Write-Output "Unable to determine SMB status or patch level."
}
} catch {
Write-Output "Error during audit: $_"
}
Run this script on each Windows host in your environment. For remote auditing, leverage Microsoft Defender for Endpoint’s device inventory and patch compliance APIs.
REMEDIATION
- Immediate Patch: Apply the June 2024 security updates from Microsoft. Refer to MSRC guidance for exact KBs per OS version.
- Compensating Controls: If patching is delayed, disable SMBv2/v3 on exposed systems (dry-run mode recommended initially):
# Dry-run: Check SMB status
Get-WindowsOptionalFeature -Online | Where-Object {$_.FeatureName -like 'SMB*'}
# Disable SMBv2/v3 (run only if patching is delayed)
# Set-WindowsOptionalFeature -Online -FeatureName 'SMB2Protocol' -State Disabled
# Set-WindowsOptionalFeature -Online -FeatureName 'SMB3Protocol' -State Disabled
- Monitoring: Enable kernel-level logging and Defender for Endpoint alerting for anomalous SMB traffic.
- Irreversible Actions: Disabling SMB may break file sharing and legacy application compatibility. Always test in dry-run/report mode first.
MITIGATION PRIORITY
Urgency: Immediate. Out-of-bounds read vulnerabilities in kernel components are high-risk due to potential information disclosure and their use in exploit chains. Patch all exposed systems as soon as possible.
WHAT’S COMING
- Microsoft is expected to continue hardening SMB against memory safety bugs in upcoming patch cycles, with further bounds checks and improved fuzzing coverage.
- Future Windows releases may introduce additional kernel mitigations (e.g., Memory Protection Keys, stricter driver isolation).
- Prepare for more aggressive deprecation of legacy SMB features and expanded logging options.
TREND CHECK
Memory safety bugs in network protocol stacks remain common, but Microsoft’s security posture is improving—recent patch cycles show more rapid disclosure and remediation, with fewer repeat flaws in SMB components. There is no evidence yet of active exploitation of CVE-2023-6606 in the wild, but information disclosure bugs are frequently leveraged by advanced persistent threat actors as part of multi-stage attack chains.
Practitioners should expect continued scrutiny of SMB and other kernel-level components, with vendors prioritizing memory safety and exploit mitigation. Prompt patching and protocol hardening remain critical.
RELATED THREATS & ADVISORIES
- Recent kernel-level SMB vulnerabilities (2023-2024) include information disclosure and denial-of-service bugs, but privilege escalation flaws have declined.
- Active campaigns targeting SMB typically focus on ransomware deployment and lateral movement, underscoring the importance of patching.
Stay vigilant for new disclosures and prioritize kernel patching, especially for internet-facing or critical infrastructure systems.