Search for vulnerabilities
Vulnerability details: VCID-4a8z-yr4n-5uhv
Vulnerability ID VCID-4a8z-yr4n-5uhv
Aliases CVE-2010-2063
Summary
Status Published
Exploitability 2.0
Weighted Severity 0.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-228 Improper Handling of Syntactically Invalid Structure
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
System Score Found at
epss 0.78178 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.78178 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.78178 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.78178 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.78178 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.79344 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.79344 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.79344 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.79344 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.79344 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.80174 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.80174 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.80174 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.80174 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
epss 0.80174 https://api.first.org/data/v1/epss?cve=CVE-2010-2063
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-2063.json
https://api.first.org/data/v1/epss?cve=CVE-2010-2063
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2063
601419 https://bugzilla.redhat.com/show_bug.cgi?id=601419
CVE-2010-2063;OSVDB-65518 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux_x86/remote/16860.rb
RHSA-2010:0488 https://access.redhat.com/errata/RHSA-2010:0488
USN-951-1 https://usn.ubuntu.com/951-1/
Data source Metasploit
Description This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration.
Note 
Stability:
  - crash-service-restarts
SideEffects:
  - ioc-in-logs
Reliability:
  - unreliable-session
Ransomware campaign use Unknown
Source publication date June 16, 2010
Platform Linux
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/samba/chain_reply.rb
Data source Exploit-DB
Date added Sept. 4, 2010
Description Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
Ransomware campaign use Known
Source publication date Sept. 4, 2010
Exploit type remote
Platform linux_x86
Source update date Dec. 1, 2016
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.98983
EPSS Score 0.78178
Published At Sept. 9, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:37:31.921712+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/951-1/ 37.0.0