CVE-2017-0101
CVE-2017-0101 is a high-severity vulnerability in Microsoft Windows 7 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-15). The underlying weakness is classified as CWE-119.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 57% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-15)
- EU (EUVD) id: EUVD-2017-0468
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-15)
- Weakness: CWE-119
- Affected product: Microsoft Windows 7
- Published:
- Last modified:
Description
The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
Windows Transaction Manager Kernel Elevation of Privilege (CVE-2017-0101)
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2017-0101 is a local elevation-of-privilege vulnerability residing in the kernel-mode drivers that implement the Windows Transaction Manager (Tmxxx.sys). A crafted user-mode application can trigger an out-of-bounds memory operation, granting an unprivileged local attacker full system-level control. Microsoft assigned a CVSS 3.1 score of 7.8 and classified the flaw as High severity.
Background
The Windows Transaction Manager provides kernel support for atomic transaction processing across files, registry keys, and other resources. Because these routines execute in Ring 0, any memory-safety bug in their implementation becomes a direct path to privilege escalation. Transaction Manager objects are reachable from user space through documented NT system calls, making them an attractive target for local exploitation.
Root Cause
The underlying weakness is CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. The affected driver fails to adequately validate size or index values supplied during transaction object creation or manipulation. Consequently, a malicious application can perform read or write operations outside the intended buffer boundaries in kernel memory, corrupting adjacent structures and eventually hijacking execution flow.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H paints a stark picture for defenders:
- Attack Vector (Local): The attacker must already have local access or be able to run code on the target system.
- Privileges Required (None): No special user rights are needed to reach the vulnerable code path.
- User Interaction (Required): The victim typically must execute a malicious binary, making this a second-stage payload rather than a remote entry point.
- Scope (Unchanged): The vulnerable component is the kernel itself.
- Confidentiality, Integrity, Availability (All High): Successful exploitation yields complete control over the affected machine.
In practical terms, a low-privilege user or a malware dropper can leverage this flaw to break out of sandboxed or restricted environments and install persistent kernel-level rootkits.
Exploitation Walkthrough
From a defensive standpoint, the typical exploitation chain looks like this:
- Initial Access: The attacker already has a foothold on the endpoint (phishing attachment, malicious download, or compromised standard user account).
- Privilege Escalation: The attacker executes a specially crafted binary that invokes the vulnerable Transaction Manager system call with malformed parameters. The buffer overflow corrupts a kernel object, allowing the attacker to overwrite a function pointer or token structure.
- Post-Exploitation: With SYSTEM privileges, the attacker disables security tools, establishes persistence via kernel drivers or WMI event subscriptions, and begins lateral movement.
Ethics Caveat: This description is intentionally generic and omits precise offsets, shellcode, or memory layouts. The goal is to help defenders understand the attack surface, not to provide a walkthrough for weaponization.
Affected and Patched Versions
Microsoft confirmed that the following platforms are affected:
- Windows Vista SP2
- Windows Server 2008 SP2 and R2
- Windows 7 SP1
- Windows 8.1
- Windows Server 2012 and Server 2012 R2
- Windows RT 8.1
- Windows 10 (Initial Release / 1507)
- Windows 10 Version 1511
- Windows 10 Version 1607
- Windows Server 2016
Microsoft released a security update addressing this vulnerability on 14 March 2017. Systems that have applied the March 2017 cumulative security updates or subsequent roll-ups are protected. The specific guidance is available via the Microsoft Security Response Center advisory (see References).
Remediation
- Apply Security Updates: Patch all affected systems with the March 2017 Microsoft security updates or any later cumulative update that supersedes it.
- Upgrade End-of-Life Systems: Windows Vista, Windows Server 2008/R2, and Windows 7 SP1 are no longer supported by Microsoft. Organizations still running these platforms should migrate to supported operating systems or purchase Extended Security Updates (ESU) where available.
- Compensating Controls:
- Enforce Application Control (AppLocker or Windows Defender Application Control) to block untrusted executables from running.
- Restrict standard users from installing or executing unapproved software.
- Enable Attack Surface Reduction (ASR) rules to prevent Office and script-based malware from spawning child processes.
Detection
Defenders can hunt for signs of exploitation with the following telemetry sources:
- Windows Event Logs: Monitor for Event ID 4656 (Object Access) or 4688 (Process Creation) showing unexpected processes opening
\\Device\\TmLinkor loading Transaction Manager-related drivers abnormally. - Kernel Callbacks / ETW: Use Sysmon or Microsoft Defender for Endpoint to alert on processes performing large numbers of failed NT system calls to transaction-related APIs.
- Memory Integrity Checks: On Windows 10 and Server 2016, enable Hypervisor-Protected Code Integrity (HVCI) and Credential Guard, which can block certain classes of kernel-memory manipulation used during exploitation.
- Endpoint Detection Rules: Look for unsigned or rare binaries executing immediately followed by a token-impersonation event or a sudden integrity-level change.
Assessment
CVE-2017-0101 carries an EPSS score of 57.48%, placing it in the 99.96th percentile of observed CVEs—meaning exploitation in the wild is statistically very likely. The vulnerability was formally added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 15 March 2022, confirming active, real-world abuse.
Key takeaways:
- Patch latency matters: Despite a patch being available since March 2017, the presence of this CVE on the KEV list five years later demonstrates that unpatched legacy Windows estates remain prime targets.
- Local EoP is not low risk: A local privilege-escalation primitive is often the decisive step that transforms a commodity malware infection into a full domain compromise. Prioritize kernel EoP bugs alongside remote-code execution flaws in your vulnerability-management program.
References
Frequently asked questions
- What is CVE-2017-0101?
- The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
- How severe is CVE-2017-0101?
- CVE-2017-0101 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-0101 being actively exploited?
- Yes. CVE-2017-0101 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0101?
- CVE-2017-0101 primarily affects Microsoft Windows 7. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0101?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0101 have an EU (EUVD) identifier?
- Yes. CVE-2017-0101 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0468. It is also flagged as exploited in the EUVD (since 2022-03-15).
- When was CVE-2017-0101 published?
- CVE-2017-0101 was published on 2017-03-17 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/96625
- http://www.securitytracker.com/id/1038013
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101
- https://www.exploit-db.com/exploits/44479/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0101
Affected products (3)
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 7
- CVE-2020-1467 — Critical (CVSS 10.0): An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully…
- CVE-2015-2373 — Critical (CVSS 10.0): The Remote Desktop Protocol (RDP) server service in Microsoft Windows 7 SP1, Windows 8, and Windows Server 2012 allows…
- CVE-2015-0014 — Critical (CVSS 10.0): Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2…
- CVE-2014-6321 — Critical (CVSS 10.0): Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,…
- CVE-2013-3195 — Critical (CVSS 10.0): The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows…
- CVE-2013-3175 — Critical (CVSS 10.0): Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,…
All CVEs affecting Microsoft Windows 7 →
Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities
- CVE-2026-2778 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in…
- CVE-2026-2776 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability…
- CVE-2025-1866 — Critical (CVSS 10.0): Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows…
- CVE-2022-27625 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2022-27624 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2020-11896 — Critical (CVSS 10.0): The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.