CVE-2023-36403

Q: What is the severity of CVE-2023-36403?

CVE-2023-36403 has a CVSS score of 7.0 (HIGH). This Windows kernel vulnerability allows attackers to elevate privileges through race conditions in memory management. It affects Windows systems where an attacker already has local access with limited privileges. Successful exploitation enables complete system compromise.

7.0 HIGH

📋 TL;DR

This Windows kernel vulnerability allows attackers to elevate privileges through race conditions in memory management. It affects Windows systems where an attacker already has local access with limited privileges. Successful exploitation enables complete system compromise.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022

Versions: Multiple versions prior to October 2023 security updates

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Windows versions are vulnerable. Requires attacker to have local access and ability to execute code.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, enabling installation of malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM/administrator privileges, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact with proper patch management and endpoint protection that detects kernel exploitation attempts.

🌐 Internet-Facing: LOW - Requires local access; cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Significant risk in environments with unpatched systems where attackers gain initial foothold through phishing or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and race condition timing precision. Public proof-of-concept exists on Packet Storm Security.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 security updates (KB5031356 for Windows 10, KB5031354 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36403

Restart Required: Yes

Instructions:

1. Apply October 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Limit standard user accounts to prevent execution of arbitrary code

Enable Windows Defender Exploit Guard

windows

Configure exploit protection to mitigate kernel exploitation

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized code execution
Deploy endpoint detection and response (EDR) solutions with kernel protection

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for October 2023 security updates or use 'systeminfo' command to verify OS build version

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5031356 (Windows 10) or KB5031354 (Windows 11) is installed via 'wmic qfe list' or Windows Update history

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 with suspicious parent processes
Unexpected kernel mode driver loads
Process creation from unusual locations with SYSTEM privileges

Network Indicators:

Lateral movement attempts following local privilege escalation
Unusual outbound connections from previously low-privilege accounts

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"

📊 Metadata

CVE ID: CVE-2023-36403

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-591

Published: November 14, 2023

Last Updated: January 1, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36403 Patch,Vendor Advisory
http://packetstormsecurity.com/files/176209/Windows-Kernel-Race-Conditions.html Third Party Advisory,VDB Entry
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36403 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local user privileges

Enable Windows Defender Exploit Guard

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities