A crucial Home windows Registry Elevation of Privilege vulnerability, recognized as CVE-2024-43641. This flaw, which impacts varied editions of Home windows Server 2025, Home windows 10, and Home windows 11, has been assigned a CVSS v3.1 rating of seven.8, indicating excessive severity.
The vulnerability stems from an integer overflow or wraparound within the Windows Registry, probably permitting attackers to execute arbitrary code with elevated privileges.
Particularly susceptible are x64 and ARM64-based methods, in addition to some 32-bit methods operating Home windows variations from Server 2008 to Server 2025 and Home windows 10 to Home windows 11.
The invention of this vulnerability class, termed “False File Immutability” (FFI), is attributed to Gabriel Landau’s current analysis offered at BlueHat IL 2024 and REcon Montreal 2024.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Try for Free
FFI happens when code assumes recordsdata can’t be modified as a result of they have been opened with out FILE_SHARE_WRITE. Nonetheless, in sure eventualities, attackers can modify recordsdata even when write sharing is denied, resulting in double-read vulnerabilities.
PoC Exploit Launched – CVE-2024-43641
The exploit leverages a design oversight in Home windows registry hive reminiscence administration. Through the loading of registry hives, underneath particular reminiscence strain situations, it’s doable for a similar reminiscence pages to be fetched, evicted, and re-read from the underlying medium.
This creates a safety difficulty the place a malicious SMB server may reply with completely different knowledge on each requests, probably breaking the kernel’s assumptions.
Mateusz Jurczyk of Google Venture Zero, who shared the PoC, demonstrated the exploit utilizing a Linux-based SMB server operating Python scripts to control the hive file. The PoC efficiently labored on Home windows 11 23H2 with the July 2024 patches put in.
To breed the vulnerability, researchers used a check atmosphere with a Home windows 11 VM (4 GB RAM) and a separate Linux VM operating a Python-based SMB server.
The exploit includes making ready a big hive file (round 900 MB), creating reminiscence strain, and utilizing a malicious SMB server to interchange hive knowledge in consecutive learn requests.
The vulnerability exploits the bin header construction format within the Home windows Registry, permitting an attacker to set a managed variety of bits to 1 at a managed out-of-bounds offset relative to an arbitrarily sized buffer. This ends in a robust reminiscence corruption primitive[5].
Microsoft has acknowledged the vulnerability and launched KB5036980 Preview with one of many prompt fixes. The repair reached basic availability for Home windows 11 23H2 as KB5037771, though testing on different platforms stays pending[4].
As all the time, customers and system directors are suggested to use the most recent safety updates and stay vigilant towards potential exploits. The cybersecurity group continues to observe the state of affairs for any indicators of energetic exploitation within the wild.
