CVE-2018-5410 – CVE-2018-5410 is a stack-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2018-5410?

CVE-2018-5410 has a CVSS score of 7.8 (HIGH). CVE-2018-5410 is a stack-based buffer overflow vulnerability in the Dokan file system driver (dokan1.sys) that allows local attackers to execute arbitrary code with kernel privileges. This affects systems running Dokan versions 1.0.0.5000 through 1.2.0.1000. Attackers can exploit this by creating a device handle to the driver and sending malicious input.

📋 TL;DR

CVE-2018-5410 is a stack-based buffer overflow vulnerability in the Dokan file system driver (dokan1.sys) that allows local attackers to execute arbitrary code with kernel privileges. This affects systems running Dokan versions 1.0.0.5000 through 1.2.0.1000. Attackers can exploit this by creating a device handle to the driver and sending malicious input.

💻 Affected Systems

Products:

Dokan Library
Dokan File System

Versions: 1.0.0.5000 through 1.2.0.1000

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Windows system with vulnerable Dokan driver installed. Dokan is commonly used by applications that create virtual file systems.

📦 What is this software?

Dokany by Dokan Dev

View all CVEs affecting Dokany →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level code execution leading to persistent backdoors, credential theft, and full administrative control.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM/administrator privileges, enabling further lateral movement and persistence.

🟢

If Mitigated

Limited impact if proper endpoint protection and least privilege principles are enforced, though kernel-level vulnerabilities remain dangerous.

🌐 Internet-Facing: LOW (requires local access to exploit, not directly reachable from internet)

🏢 Internal Only: HIGH (any authenticated user on affected systems can potentially exploit for privilege escalation)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID 46155). Requires local access but exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.1.1000

Vendor Advisory: https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000

Restart Required: Yes

Instructions:

1. Download Dokan version 1.2.1.1000 or later from official GitHub releases. 2. Uninstall current Dokan version. 3. Install updated version. 4. Restart system to load patched driver.

🔧 Temporary Workarounds

Remove Dokan Driver

windows

Uninstall Dokan completely if not required by critical applications

sc stop dokan1
sc delete dokan1
Uninstall via Programs and Features

Restrict Device Access

windows

Use Windows security policies to restrict access to dokan1 device

icacls \\.\dokan1 /deny Everyone:(R,W)

🧯 If You Can't Patch

Implement strict least privilege principles to limit user access to systems with Dokan installed
Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts and privilege escalation

🔍 How to Verify

Check if Vulnerable:

Check Dokan driver version via Device Manager (System devices -> Dokan Library Bus Enumerator) or registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dokan1

Check Version:

reg query "HKLM\SYSTEM\CurrentControlSet\Services\dokan1" /v ImagePath

Verify Fix Applied:

Verify Dokan version is 1.2.1.1000 or higher using same methods as checking

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing unusual processes with SYSTEM privileges
Driver load events for dokan1.sys

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2018-5410

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: January 7, 2019

Last Updated: February 25, 2026

🔗 References

http://www.securityfocus.com/bid/106274 Third Party Advisory,VDB Entry
https://cwe.mitre.org/data/definitions/121.html Third Party Advisory
https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000 Patch,Third Party Advisory
https://kb.cert.org/vuls/id/741315/ Third Party Advisory,US Government Resource
https://www.exploit-db.com/exploits/46155/ Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/106274 Third Party Advisory,VDB Entry
https://cwe.mitre.org/data/definitions/121.html Third Party Advisory
https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000 Patch,Third Party Advisory
https://kb.cert.org/vuls/id/741315/ Third Party Advisory,US Government Resource
https://www.exploit-db.com/exploits/46155/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5410, you might also want to check these: