Planned Fix

CVE-2024-30088

TOCTOU Windows Kernel Privilege Escalation

Summary

A Windows kernel TOCTOU (time-of-check/time-of-use) race condition enables local privilege escalation to SYSTEM by manipulating kernel security attributes during token handling. Exploitation requires a locally logged-in user (no user interaction) and can lead to full control of the system once privileges are elevated; patches were released in June 2024 to mitigate the flaw.

Why Planned Fix?

2/6

Authentication required

Deployment unknown

No user interaction needed

Not exploitable in default configuration

Public PoC available

Not a high impact vulnerability

Exploitation Details

Type

update

Is exploitable with default configuration?

Is authentication needed?

Yes

PoC / Exploit

Yes

github.com github.com ptsecurity.com

Impact

Escalate privileges to SYSTEM, enabling full control of the affected host and potential further compromise (e.g., privilege abuse, lateral movement, credential access).

Exploitation Requirements

Authentication required
Local access with a user account
no remote authentication required beyond local login
vulnerable OS versions
patched builds required for remediation.

Exploitation Process

An attacker with local access can trigger a TOCTOU race in the Windows kernel's token/authz path (AuthzBasepCopyoutInternalSecurityAttributes) during NtQueryInformationToken, allowing writes to arbitrary kernel addresses and elevation to SYSTEM. PoCs and exploit code have been published (e.g., Metasploit module and other PoCs).

Detection Resources

Manual Detection

Script Detection

Scanner Detection

Affected Software

Vendor:Microsoft

Product	Affected Versions
Windows Operating System	Windows 10 versions 1507–22H2 (various editions) up to vulnerable builds; Windows 11 versions 21H2/22H2/23H2; Windows Server 2016/2019/2022 (and Server Core variants) with specific vulnerable builds. Exact end-of-life build numbers per OS are detailed in the CVE records: 10.0.10240.20680; 10.0.14393.7070; 10.0.17763.5936; 10.0.19044.4529; 10.0.19045.4529; 10.0.22000.3019; 10.0.22621.3737; 10.0.22631.3737; 10.0.14393.7070; 10.0.17763.5936; 10.0.20348.2522; 10.0.25398.950.

Product

Affected Versions

Windows Operating System

Windows 10 versions 1507–22H2 (various editions) up to vulnerable builds; Windows 11 versions 21H2/22H2/23H2; Windows Server 2016/2019/2022 (and Server Core variants) with specific vulnerable builds. Exact end-of-life build numbers per OS are detailed in the CVE records: 10.0.10240.20680; 10.0.14393.7070; 10.0.17763.5936; 10.0.19044.4529; 10.0.19045.4529; 10.0.22000.3019; 10.0.22621.3737; 10.0.22631.3737; 10.0.14393.7070; 10.0.17763.5936; 10.0.20348.2522; 10.0.25398.950.

Description

Microsoft Windows operating system family (Windows 10/11 and Windows Server variants).

Deployment:—

Protocol:Local

Ports:—

Affected ComponentWindows Kernel; privilege escalation via a TOCTOU race condition in the kernel's token/authz handling (AuthzBasepCopyoutInternalSecurityAttributes during NtQueryInformationToken).

Windows Kernel; privilege escalation via a TOCTOU race condition in the kernel's token/authz handling (AuthzBasepCopyoutInternalSecurityAttributes during NtQueryInformationToken).

Affected Endpoints(1)https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088

1.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Big

Vendor Notifications

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-30088

Remediation

Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence

EPSS Score84.5%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...

CISA KEV

Not Listed

Active Exploitation

No Evidence

Threat Actors

No known threat actors

Detection Rules5

Sigma

Sigma: Windows Kernel TOCTOU detection

Yara

YARA: look for patterns related to NtQueryInformationToken and AuthzBasepCopyoutInternalSecurityAttributes (kernel-level) in plausible privilege-escalation contexts

Other

Threat hunting resource

Other

Threat hunting resource

Other

Threat hunting resource

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Windows Kernel Elevation of Privilege Vulnerability. A TOCTOU (time-of-check/time-of-use) race condition in the Windows kernel allows a local attacker to gain SYSTEM privileges by manipulating the security attributes during token handling (AuthzBasepCopyoutInternalSecurityAttributes in NtQueryInformationToken).

CVSS Base Score

7.0

High

CVSS Vector (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:—

NVD:CVE-2024-30088

Version From:—

Version Upto:10.0.10240.20680, 10.0.14393.7070, 10.0.17763.5936, 10.0.19044.4529, 10.0.19045.4529, 10.0.22000.3019, 10.0.22621.3737, 10.0.22631.3737, 10.0.14393.7070, 10.0.17763.5936, 10.0.25398.950

Affected Software (CPE) (11)

•cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:{}
•cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

Sources

Source	Article
nvd.nist.gov	https://nvd.nist.gov/vuln/detail/cve-2024-30088
msrc.microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088
github.com	https://github.com/advisories/GHSA-h47v-33fm-j33g
dbugs.ptsecurity.com	https://dbugs.ptsecurity.com/vulnerability/CVE-2024-30088
threats.kaspersky.com	https://threats.kaspersky.com/en/threat/Exploit.Win64.CVE-2024-30088.f/
cve.armis.com	https://cve.armis.com/cve-2024-30088
www.cisa.gov	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-30088
thehackernews.com	https://thehackernews.com/2024/10/oilrig-exploits-windows-kernel-flaw-in.html
www.hivepro.com	https://www.hivepro.com/blog/TA2024392.pdf

Priority History

Planned FixLoading...

Initial analysis