CVE-2015-2546
Published: 09 September 2015
Summary
CVE-2015-2546 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a memory corruption issue in the kernel-mode driver component known as Win32k, affecting multiple versions of Microsoft Windows including Vista SP2, Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8 and 8.1, Server 2012 Gold and R2, RT Gold and 8.1, and Windows 10. It is tracked as an elevation of privilege flaw (distinct from CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518) and stems from improper handling that can be triggered by specially crafted input, corresponding to CWE-119.
Local users can exploit the flaw by running a crafted application on an affected system, resulting in elevation of privileges with the potential for full control over the target host. The CVSS 3.1 score of 8.2 reflects local attack vector, low complexity, and high impact on confidentiality, integrity, and availability when conditions such as user interaction are met.
Microsoft's security bulletin MS15-097 addresses the issue through available patches and updates for the listed Windows versions, recommending installation of the fixes to prevent exploitation of the Win32k driver.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-2639
Vulnerability details
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to…
more
gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.
- CWE(s)
- KEV Date Added
- 15 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements memory protection safeguards that block the Win32k kernel-mode memory corruption (CWE-119) exploited by the crafted local application.
Requires timely installation of the MS15-097 patches that remediate the specific Win32k driver flaw before local privilege escalation can occur.
Enforces least privilege for local accounts so that even successful exploitation of the kernel flaw yields minimal additional rights on the host.