Use After Free (CWE-416)
Windows Graphics Component Elevation of Privilege Vulnerability. This is a local vulnerability with a low attack complexity that requires low privileges and no user interaction. It has high impacts on confidentiality, integrity, and availability. The vulnerability is classified as a Use After Free (CWE-416) issue.
This vulnerability allows an attacker with low privileges to elevate their privileges on a local Windows system. The high impact on confidentiality, integrity, and availability suggests that an attacker could potentially gain full control over the affected system, access sensitive information, modify critical data, and disrupt system operations. The CVSS v3.1 base score is 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a severe local threat.
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
A patch is available. Microsoft has released an official fix for this vulnerability on July 9, 2024. Security teams should prioritize applying this patch, especially on systems that handle sensitive information or are critical to operations.
Apply the latest security updates from Microsoft as soon as possible. Prioritize patching systems that handle sensitive information or are critical to operations. Limit user privileges and ensure the principle of least privilege is followed. Monitor for suspicious activities, especially attempts to escalate privileges.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Detection for the vulnerability has been added to Qualys (92149)
NVD published the first details for CVE-2024-38085
Feedly found the first article mentioning CVE-2024-38085. See article
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
This CVE started to trend in security discussions
EPSS Score was set to: 0.04% (Percentile: 9.2%)
This CVE stopped trending in security discussions
CVE-2024-38085 is a critical vulnerability in the Windows Win32 Kernel Subsystem, with a CVSS score of 7.8. The provided information does not specify whether it is being exploited in the wild, nor does it mention the existence of proof-of-concept exploits, mitigations, detections, patches, or any downstream impacts on third-party vendors or technology. Further investigation would be necessary to assess the full scope and implications of this vulnerability. See article