CVE-2019-1185 – CVE-2019-1185 is a stack corruption vulnerabili... (How to Fix)

Q: What is the severity of CVE-2019-1185?

CVE-2019-1185 has a CVSS score of 7.3 (HIGH). CVE-2019-1185 is a stack corruption vulnerability in Windows Subsystem for Linux that allows local attackers to execute arbitrary code with elevated privileges. This affects Windows systems with WSL enabled where an authenticated user could run a malicious application. The vulnerability enables privilege escalation from a standard user account to higher system permissions.

📋 TL;DR

CVE-2019-1185 is a stack corruption vulnerability in Windows Subsystem for Linux that allows local attackers to execute arbitrary code with elevated privileges. This affects Windows systems with WSL enabled where an authenticated user could run a malicious application. The vulnerability enables privilege escalation from a standard user account to higher system permissions.

💻 Affected Systems

Products:

Windows Subsystem for Linux (WSL)

Versions: Windows 10 versions 1903 and earlier, Windows Server 2019 and earlier

Operating Systems: Windows 10, Windows Server 2019

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Windows Subsystem for Linux is installed and enabled. WSL is not installed by default on most Windows systems.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise where an attacker gains SYSTEM-level privileges, installs persistent malware, accesses sensitive data, and pivots to other systems.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access restricted system resources.

🟢

If Mitigated

Limited impact with proper patch management and restricted user privileges, though local authenticated users could still attempt exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Internal users with standard accounts could exploit this to gain elevated privileges and potentially compromise the entire system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local authenticated access and knowledge of WSL internals. The vulnerability involves stack corruption which requires careful memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows 10 version 1903 KB4512941 and later updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1185

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Check for updates. 3. Install all available security updates. 4. Restart the system when prompted. 5. Verify the update was applied successfully.

🔧 Temporary Workarounds

Disable Windows Subsystem for Linux

windows

Disables WSL feature entirely, removing the vulnerable component

dism.exe /online /disable-feature /featurename:Microsoft-Windows-Subsystem-Linux

Restrict user privileges

all

Implement least privilege principle to limit potential damage from successful exploitation

🧯 If You Can't Patch

Disable Windows Subsystem for Linux feature if not required
Implement strict access controls and monitor for suspicious privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if WSL is enabled. Vulnerable if Windows 10 version 1903 or earlier with WSL installed.

Check Version:

winver

Verify Fix Applied:

Verify Windows build number is 18362.356 or later for Windows 10 version 1903, or check that KB4512941 or later security update is installed.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with elevated privileges from WSL processes
Security event logs showing privilege escalation attempts

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

EventID=4688 AND NewProcessName contains *wsl* AND SubjectUserName != SYSTEM

📊 Metadata

CVE ID: CVE-2019-1185

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: August 14, 2019

Last Updated: February 20, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1185 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1185 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1185, you might also want to check these: