Cyber Resilience

CVE-2018-8639

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 12 December 2018

Published
12 December 2018
Modified
29 October 2025
KEV Added
03 March 2025
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3319 97.0th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-8639 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

An elevation of privilege vulnerability exists in the Win32k component of Windows when it fails to properly handle objects in memory. The issue, tracked as CVE-2018-8639, affects Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2016, Windows Server 2019, Windows 10, and Windows 10 Servers. It carries a CVSS 3.1 base score of 7.8 and is distinct from the related CVE-2018-8641.

A local attacker with low privileges can exploit the flaw without user interaction to obtain full control over the affected system, resulting in complete loss of confidentiality, integrity, and availability. The vulnerability stems from improper object handling classified under CWE-404 and can be triggered through crafted interactions with the Win32k kernel-mode driver.

Microsoft has published guidance in its security advisory for CVE-2018-8639, and the flaw appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Organizations should apply the vendor-supplied updates referenced in the Microsoft Security Response Center advisory to address the issue.

EU & UK References

Vulnerability details

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows…

more

Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.

CWE(s)
KEV Date Added
03 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 10 1703
all versions
microsoft
windows 10 1709
all versions
microsoft
windows 10 1803
all versions
microsoft
windows 10 1809
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that remediate the Win32k object-handling flaw before exploitation can succeed.

prevent

Enforces least-privilege execution so a low-privileged local attacker cannot reach the Win32k code path with sufficient rights to escalate.

prevent

Implements memory-protection safeguards that can block or contain the improper object handling exploited inside the Win32k kernel driver.

References