Cyber Resilience

CVE-2024-21338

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 13 February 2024

Published
13 February 2024
Modified
28 October 2025
KEV Added
04 March 2024
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7935 99.1th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21338 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-39 (Process Isolation).

Deeper analysis

Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 affects the Windows kernel component and carries a CVSS 3.1 score of 7.8. The flaw is tracked under CWE-822 and permits an attacker to escalate privileges from a local context to full kernel-level access.

An authenticated local user with low privileges can exploit the issue without user interaction to obtain complete control over the affected system, including the ability to read, write, or delete arbitrary data and execute code at the highest privilege level.

Microsoft’s security update guide lists patches addressing the vulnerability and recommends applying the relevant updates through standard Windows servicing channels. Public exploit code has been published on Exploit-DB and PacketStorm, and reporting from Avast ties the issue to observed activity by the Lazarus group involving a BYOVD rootkit technique.

The associated EPSS score reached a peak of 0.7957 shortly after disclosure and remains near 0.7935, indicating sustained exploitation interest following the initial announcement.

EU & UK References

Vulnerability details

Windows Kernel Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
04 March 2024

Related Threats

Threat-Actor AttributionAI

Avast report links Lazarus FudModule rootkit to exploitation of this Windows kernel EoP zero-day (BYOVD).

Affected Assets

microsoft
windows 10 1809
≤ 10.0.17763.5458
microsoft
windows 10 21h2
≤ 10.0.19044.4046
microsoft
windows 10 22h2
≤ 10.0.19045.4046
microsoft
windows 11 21h2
≤ 10.0.22000.2777
microsoft
windows 11 22h2
≤ 10.0.22621.3155
microsoft
windows 11 23h2
≤ 10.0.22631.3155
microsoft
windows server 2019
≤ 10.0.17763.5458
microsoft
windows server 2022
≤ 10.0.20348.2322
microsoft
windows server 2022 23h2
≤ 10.0.25398.709

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the low-to-kernel privilege escalation path by restricting each process to only the privileges required, blocking the unauthorized elevation described in the CVE.

prevent

Enforces separate execution domains between user-mode processes and kernel code, preventing the kernel-level code execution that the vulnerability enables.

prevent

Implements memory-protection safeguards that limit exploitation of the incorrect privileged-resource handling (CWE-822) used to obtain kernel execution.

References