CVE-2024-38107
Published: 13 August 2024
Summary
CVE-2024-38107 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-38107 is an elevation-of-privilege vulnerability in the Windows Power Dependency Coordinator component. It carries a CVSS 3.1 base score of 7.8 and is associated with CWE-416 (use-after-free). The flaw affects supported Windows releases and allows an attacker who already possesses a local session to obtain higher privileges on the system.
An authenticated local user with low privileges can trigger the vulnerability without user interaction, resulting in full compromise of confidentiality, integrity, and availability on the affected host. Successful exploitation therefore converts a limited foothold into SYSTEM-level access.
Microsoft’s security advisory and the CISA Known Exploited Vulnerabilities catalog both list the issue, confirming that patches are available and that active exploitation has been observed in the wild. The EPSS score remains flat at 0.0335 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37146
Vulnerability details
Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 13 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the use-after-free flaw before local exploitation can succeed.
Enforces least-privilege execution so an attacker starts with fewer rights, raising the bar for successful escalation to SYSTEM via the coordinator component.
Implements memory-protection safeguards that can block or complicate exploitation of the CWE-416 use-after-free condition in the Power Dependency Coordinator.