CVE-2023-24940
Published: 09 May 2023
Summary
CVE-2023-24940 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-24940 is a denial-of-service vulnerability in the Windows Pragmatic General Multicast (PGM) component. It carries a CVSS 3.1 base score of 7.5 and is associated with CWE-476 (NULL Pointer Dereference). The flaw permits an unauthenticated network attacker to trigger a crash or resource exhaustion in affected Windows systems.
An attacker can send specially crafted PGM traffic over the network without authentication or user interaction, resulting in high impact to availability while leaving confidentiality and integrity unaffected. The attack vector is rated as network-accessible with low complexity.
Microsoft Security Response Center advisories at the referenced URLs describe available updates and mitigation guidance for the vulnerability. The associated EPSS score has remained stable at 0.1619 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-28927
Vulnerability details
Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.