CVE-2018-20029 in NoMachine
Summary
by MITRE
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2018-20029 resides within the nxfs.sys driver component of the DokanFS library version 0.6.0, which is utilized by NoMachine software prior to version 6.4.6 on Windows 10 systems. This represents a critical security flaw that stems from improper memory management practices within the kernel-mode driver responsible for file system operations. The issue manifests specifically when the driver attempts to access uninitialized memory regions during normal file system operations, creating a scenario where malicious or legitimate local users can trigger system instability.
The technical root cause of this vulnerability aligns with CWE-457, which describes the use of uninitialized variables in software systems. The nxfs.sys driver fails to properly initialize memory before reading from it, creating a condition where random data from memory locations may be accessed and processed by the driver's file system operations. This uninitialized memory read occurs within the kernel context, meaning that any process with sufficient privileges to interact with the driver can potentially trigger this condition. The vulnerability is particularly dangerous because it operates at the kernel level where memory corruption can lead to system crashes and blue screen of death (BSOD) conditions.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can be exploited by local users to create system instability that may persist across reboots or be leveraged as part of broader attack chains. When the uninitialized memory is read, the system may encounter corrupted data that causes the driver to malfunction, leading to kernel-level crashes that result in BSOD errors. This type of vulnerability can be particularly problematic in enterprise environments where NoMachine is used for remote desktop services, as it provides attackers with a method to disrupt critical business operations. The attack surface is expanded by the fact that this vulnerability affects the core file system driver that handles all file access operations, making it a prime target for exploitation.
From a threat modeling perspective, this vulnerability maps to several ATT&CK techniques including T1059 for command and scripting interpreter and T1490 for execution through exploitation of system resources. The local privilege escalation potential exists because the vulnerability can be triggered by any user with access to the system, and the resulting BSOD can be used to disrupt services or potentially mask other malicious activities. Organizations should consider implementing mitigations such as updating to NoMachine version 6.4.6 or later, which includes proper memory initialization practices in the updated DokanFS library. Additionally, system administrators should monitor for unusual BSOD occurrences and implement proper access controls to limit local user privileges where possible. The vulnerability underscores the importance of proper memory management practices in kernel-mode drivers and highlights the need for comprehensive testing and validation of system components that operate at the most privileged levels of the operating system.