CVE-2023-34312
Published: 01 June 2023
Summary
CVE-2023-34312 is a high-severity Release of Invalid Pointer or Reference (CWE-763) vulnerability in Tencent Qq. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-34312 affects Tencent QQ up to version 9.7.8.29039 and TIM up to 3.4.7.22084. The flaw resides in QQProtect.exe and QQProtectEngine.dll, which accept unvalidated pointers over inter-process communication channels and thereby permit an arbitrary write-what-where primitive (CWE-763). The issue carries a CVSS 3.1 base score of 7.8 under the local-attack vector.
A local, authenticated attacker can send crafted IPC messages to the QQProtect components, overwriting arbitrary kernel or user-mode memory locations. Successful exploitation yields full control over the affected process, enabling privilege escalation, credential theft, or persistent code execution on the host.
Public references consist solely of a proof-of-concept repository demonstrating the elevation technique; no vendor advisory or patch information is supplied in the available sources. The EPSS score has remained flat at 0.0784 since disclosure, indicating no measurable increase in observed exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38393
Vulnerability details
In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.