CVE-2024-21338
Published: 13 February 2024
Summary
CVE-2024-21338 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-39 (Process Isolation).
Deeper analysis
Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 affects the Windows kernel component and carries a CVSS 3.1 score of 7.8. The flaw is tracked under CWE-822 and permits an attacker to escalate privileges from a local context to full kernel-level access.
An authenticated local user with low privileges can exploit the issue without user interaction to obtain complete control over the affected system, including the ability to read, write, or delete arbitrary data and execute code at the highest privilege level.
Microsoft’s security update guide lists patches addressing the vulnerability and recommends applying the relevant updates through standard Windows servicing channels. Public exploit code has been published on Exploit-DB and PacketStorm, and reporting from Avast ties the issue to observed activity by the Lazarus group involving a BYOVD rootkit technique.
The associated EPSS score reached a peak of 0.7957 shortly after disclosure and remains near 0.7935, indicating sustained exploitation interest following the initial announcement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19050
Vulnerability details
Windows Kernel Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 04 March 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the low-to-kernel privilege escalation path by restricting each process to only the privileges required, blocking the unauthorized elevation described in the CVE.
Enforces separate execution domains between user-mode processes and kernel code, preventing the kernel-level code execution that the vulnerability enables.
Implements memory-protection safeguards that limit exploitation of the incorrect privileged-resource handling (CWE-822) used to obtain kernel execution.