CVE-2024-43535
📋 TL;DR
This vulnerability allows attackers to gain elevated privileges on Windows systems by exploiting a use-after-free bug in the kernel-mode driver. It affects Windows systems with the vulnerable driver installed, potentially allowing local attackers to execute code with SYSTEM privileges.
💻 Affected Systems
- Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access protected system resources.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though kernel-level access remains dangerous.
🎯 Exploit Status
Requires local access and ability to execute code. Exploitation involves triggering the use-after-free condition in kernel memory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest Windows security updates from Microsoft's May 2024 Patch Tuesday or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43535
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict local user privileges
windowsApply least privilege principles to limit impact if exploitation occurs
Enable exploit protection
windowsUse Windows Defender Exploit Guard to add additional protection layers
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) to detect privilege escalation attempts
- Segment networks to limit lateral movement potential from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for May 2024 security updates or run 'systeminfo' and verify OS build number is patchedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5037768 (or later cumulative update) is installed via 'wmic qfe list' or Windows Update history📡 Detection & Monitoring
Log Indicators:
- Unusual process creation with SYSTEM privileges
- Suspicious driver loading events
- Security log Event ID 4688 with elevated privileges
Network Indicators:
- Unusual outbound connections from system processes
- Lateral movement attempts from previously low-privilege accounts
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"