Cyber Resilience

CVE-2015-2546

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 September 2015

Published
09 September 2015
Modified
22 April 2026
KEV Added
15 March 2022
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.4056 97.5th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-2546 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a memory corruption issue in the kernel-mode driver component known as Win32k, affecting multiple versions of Microsoft Windows including Vista SP2, Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8 and 8.1, Server 2012 Gold and R2, RT Gold and 8.1, and Windows 10. It is tracked as an elevation of privilege flaw (distinct from CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518) and stems from improper handling that can be triggered by specially crafted input, corresponding to CWE-119.

Local users can exploit the flaw by running a crafted application on an affected system, resulting in elevation of privileges with the potential for full control over the target host. The CVSS 3.1 score of 8.2 reflects local attack vector, low complexity, and high impact on confidentiality, integrity, and availability when conditions such as user interaction are met.

Microsoft's security bulletin MS15-097 addresses the issue through available patches and updates for the listed Windows versions, recommending installation of the fixes to prevent exploitation of the Win32k driver.

EU & UK References

Vulnerability details

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to…

more

gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.

CWE(s)
KEV Date Added
15 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 7
all versions
microsoft
windows 8
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements memory protection safeguards that block the Win32k kernel-mode memory corruption (CWE-119) exploited by the crafted local application.

prevent

Requires timely installation of the MS15-097 patches that remediate the specific Win32k driver flaw before local privilege escalation can occur.

prevent

Enforces least privilege for local accounts so that even successful exploitation of the kernel flaw yields minimal additional rights on the host.

References