CVE-2024-26254
Published: 09 April 2024
Summary
CVE-2024-26254 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Microsoft Virtual Machine Bus (VMBus) is affected by a denial-of-service vulnerability tracked as CVE-2024-26254. The flaw carries a CVSS 3.1 score of 7.5 and is associated with CWE-822, allowing an unauthenticated network attacker to disrupt availability without any user interaction or privileges.
An attacker with network access can send crafted traffic to the VMBus component and trigger a denial-of-service condition that impacts the confidentiality or integrity of no data but renders the affected service unavailable. The attack requires no authentication and can be performed remotely over the network.
Microsoft has published guidance for the issue at the MSRC update guide, indicating that patches or configuration changes are available to address the vulnerability. The associated EPSS score has remained flat at 0.0653 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23530
Vulnerability details
Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.