Cyber Resilience

CVE-2024-30038

High

Published: 14 May 2024

Published
14 May 2024
Modified
16 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0845 92.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30038 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-30038 is an elevation-of-privilege vulnerability in the Win32k component of the Windows kernel, disclosed on 14 May 2024. The flaw is tracked under CWE-122 and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low attack complexity, and low privileges required to reach full confidentiality, integrity, and availability impact.

A local attacker who already possesses a low-privileged user account on an affected Windows system can exploit the issue to escalate to higher privileges, typically SYSTEM-level access, without user interaction. Successful exploitation grants the attacker the ability to execute arbitrary code with kernel rights, install persistent malware, or access sensitive data and resources otherwise protected from the original account.

Microsoft’s security advisory for CVE-2024-30038 directs administrators to apply the corresponding security update released through Windows Update and the Microsoft Update Catalog. The update addresses the underlying memory-corruption condition in Win32k and is rated as an important fix for supported Windows versions.

EPSS for the CVE remains modest, with a recorded peak of 0.0944 and a current value of 0.0845; no material upward trajectory after disclosure has been observed.

EU & UK References

Vulnerability details

Win32k Elevation of Privilege Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20651 · ≤ 10.0.10240.20651
microsoft
windows 10 1607
≤ 10.0.14393.6981 · ≤ 10.0.14393.6981
microsoft
windows 10 1809
≤ 10.0.17763.5820
microsoft
windows 10 21h2
≤ 10.0.19044.4412
microsoft
windows 10 22h2
≤ 10.0.19045.4412
microsoft
windows 11 21h2
≤ 10.0.22000.2960
microsoft
windows 11 22h2
≤ 10.0.22621.3593
microsoft
windows 11 23h2
≤ 10.0.22631.3593
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.6981
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References