Cyber Resilience

CVE-2024-43491

Critical

Published: 10 September 2024

Published
10 September 2024
Modified
26 September 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1818 95.3th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43491 is a critical-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2024-43491 resides in the Windows Servicing Stack and affects only Windows 10 version 1507 systems running the Enterprise 2015 LTSB or IoT Enterprise 2015 LTSB editions. It causes previously applied fixes for certain Optional Component vulnerabilities to be rolled back on systems that installed the March 2024 update KB5035858 or subsequent monthly updates through August 2024, leaving those components exposed despite the original patches.

An unauthenticated remote attacker can exploit the reintroduced flaws over the network without user interaction, obtaining full confidentiality, integrity, and availability impact on the affected host. Because the underlying issues were already known and scored high severity prior to the regression, the servicing-stack flaw effectively restores the original attack surface on any system that received the flawed cumulative updates.

Microsoft’s advisory states that the regression is resolved only by installing the September 2024 Servicing Stack Update KB5043936 followed by the September 2024 security update KB5043083 in that specific order; no other mitigations are described. The single supported reference URL is the Microsoft Security Response Center entry for CVE-2024-43491.

EPSS for the CVE rose from a low baseline to a peak of 0.2014 before settling at the current value of 0.1818, indicating measurable post-disclosure exploitation interest that warrants renewed attention for the remaining supported LTSB installations.

EU & UK References

Vulnerability details

Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously…

more

mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20766 · ≤ 10.0.10240.20766

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References