CVE-2023-28248

Windows Kernel Elevation of Privilege Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Windows Kernel Elevation of Privilege Vulnerability

In Windows Registry, security descriptors are shared by multiple keys, and thus reference counted via the _CM_KEY_SECURITY.ReferenceCount field. It is critical for system security that the kernel correctly keeps track of the references, so that the sum of the ReferenceCount fields is equal to the number of keys in the hive at all times (with small exceptions for things like transacted and not yet committed operations etc.). If the ReferenceCount of any descriptor drops below the true number of its active references, it may result in a use-after-free condition and memory corruption. Similarly, if the field becomes inadequately large, it may be possible to overflow it and also trigger a use-after-free. A bug of the latter type is described in this report.

*Credits: N/A

CVSS Scores

Microsoftv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-03-13 CVE Reserved
2023-04-11 CVE Published
2024-05-25 EPSS Updated
2024-10-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28248	2024-05-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Windows 10 1607 Search vendor "Microsoft" for product "Windows 10 1607"				< 10.0.14393.5850 Search vendor "Microsoft" for product "Windows 10 1607" and version " < 10.0.14393.5850"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 1809 Search vendor "Microsoft" for product "Windows 10 1809"				< 10.0.17763.4252 Search vendor "Microsoft" for product "Windows 10 1809" and version " < 10.0.17763.4252"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 20h2 Search vendor "Microsoft" for product "Windows 10 20h2"				< 10.0.19042.2846 Search vendor "Microsoft" for product "Windows 10 20h2" and version " < 10.0.19042.2846"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 21h2 Search vendor "Microsoft" for product "Windows 10 21h2"				< 10.0.19044.2846 Search vendor "Microsoft" for product "Windows 10 21h2" and version " < 10.0.19044.2846"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 22h2 Search vendor "Microsoft" for product "Windows 10 22h2"				< 10.0.19045.2846 Search vendor "Microsoft" for product "Windows 10 22h2" and version " < 10.0.19045.2846"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 11 21h2 Search vendor "Microsoft" for product "Windows 11 21h2"				< 10.0.22000.1817 Search vendor "Microsoft" for product "Windows 11 21h2" and version " < 10.0.22000.1817"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 11 22h2 Search vendor "Microsoft" for product "Windows 11 22h2"				< 10.0.22621.1555 Search vendor "Microsoft" for product "Windows 11 22h2" and version " < 10.0.22621.1555"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2022 Search vendor "Microsoft" for product "Windows Server 2022"				-		-		Affected