CVE-2017-0101

CVE-2017-0101 is a high-severity vulnerability in Microsoft Windows 7 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-15). The underlying weakness is classified as CWE-119.

Key facts

Description

The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

Windows Transaction Manager Kernel Elevation of Privilege (CVE-2017-0101)

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2017-0101 is a local elevation-of-privilege vulnerability residing in the kernel-mode drivers that implement the Windows Transaction Manager (Tmxxx.sys). A crafted user-mode application can trigger an out-of-bounds memory operation, granting an unprivileged local attacker full system-level control. Microsoft assigned a CVSS 3.1 score of 7.8 and classified the flaw as High severity.

Background

The Windows Transaction Manager provides kernel support for atomic transaction processing across files, registry keys, and other resources. Because these routines execute in Ring 0, any memory-safety bug in their implementation becomes a direct path to privilege escalation. Transaction Manager objects are reachable from user space through documented NT system calls, making them an attractive target for local exploitation.

Root Cause

The underlying weakness is CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. The affected driver fails to adequately validate size or index values supplied during transaction object creation or manipulation. Consequently, a malicious application can perform read or write operations outside the intended buffer boundaries in kernel memory, corrupting adjacent structures and eventually hijacking execution flow.

Impact

The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H paints a stark picture for defenders:

  • Attack Vector (Local): The attacker must already have local access or be able to run code on the target system.
  • Privileges Required (None): No special user rights are needed to reach the vulnerable code path.
  • User Interaction (Required): The victim typically must execute a malicious binary, making this a second-stage payload rather than a remote entry point.
  • Scope (Unchanged): The vulnerable component is the kernel itself.
  • Confidentiality, Integrity, Availability (All High): Successful exploitation yields complete control over the affected machine.

In practical terms, a low-privilege user or a malware dropper can leverage this flaw to break out of sandboxed or restricted environments and install persistent kernel-level rootkits.

Exploitation Walkthrough

From a defensive standpoint, the typical exploitation chain looks like this:

  1. Initial Access: The attacker already has a foothold on the endpoint (phishing attachment, malicious download, or compromised standard user account).
  2. Privilege Escalation: The attacker executes a specially crafted binary that invokes the vulnerable Transaction Manager system call with malformed parameters. The buffer overflow corrupts a kernel object, allowing the attacker to overwrite a function pointer or token structure.
  3. Post-Exploitation: With SYSTEM privileges, the attacker disables security tools, establishes persistence via kernel drivers or WMI event subscriptions, and begins lateral movement.

Ethics Caveat: This description is intentionally generic and omits precise offsets, shellcode, or memory layouts. The goal is to help defenders understand the attack surface, not to provide a walkthrough for weaponization.

Affected and Patched Versions

Microsoft confirmed that the following platforms are affected:

  • Windows Vista SP2
  • Windows Server 2008 SP2 and R2
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2012 and Server 2012 R2
  • Windows RT 8.1
  • Windows 10 (Initial Release / 1507)
  • Windows 10 Version 1511
  • Windows 10 Version 1607
  • Windows Server 2016

Microsoft released a security update addressing this vulnerability on 14 March 2017. Systems that have applied the March 2017 cumulative security updates or subsequent roll-ups are protected. The specific guidance is available via the Microsoft Security Response Center advisory (see References).

Remediation

  1. Apply Security Updates: Patch all affected systems with the March 2017 Microsoft security updates or any later cumulative update that supersedes it.
  2. Upgrade End-of-Life Systems: Windows Vista, Windows Server 2008/R2, and Windows 7 SP1 are no longer supported by Microsoft. Organizations still running these platforms should migrate to supported operating systems or purchase Extended Security Updates (ESU) where available.
  3. Compensating Controls:
    • Enforce Application Control (AppLocker or Windows Defender Application Control) to block untrusted executables from running.
    • Restrict standard users from installing or executing unapproved software.
    • Enable Attack Surface Reduction (ASR) rules to prevent Office and script-based malware from spawning child processes.

Detection

Defenders can hunt for signs of exploitation with the following telemetry sources:

  • Windows Event Logs: Monitor for Event ID 4656 (Object Access) or 4688 (Process Creation) showing unexpected processes opening \\Device\\TmLink or loading Transaction Manager-related drivers abnormally.
  • Kernel Callbacks / ETW: Use Sysmon or Microsoft Defender for Endpoint to alert on processes performing large numbers of failed NT system calls to transaction-related APIs.
  • Memory Integrity Checks: On Windows 10 and Server 2016, enable Hypervisor-Protected Code Integrity (HVCI) and Credential Guard, which can block certain classes of kernel-memory manipulation used during exploitation.
  • Endpoint Detection Rules: Look for unsigned or rare binaries executing immediately followed by a token-impersonation event or a sudden integrity-level change.

Assessment

CVE-2017-0101 carries an EPSS score of 57.48%, placing it in the 99.96th percentile of observed CVEs—meaning exploitation in the wild is statistically very likely. The vulnerability was formally added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 15 March 2022, confirming active, real-world abuse.

Key takeaways:

  1. Patch latency matters: Despite a patch being available since March 2017, the presence of this CVE on the KEV list five years later demonstrates that unpatched legacy Windows estates remain prime targets.
  2. Local EoP is not low risk: A local privilege-escalation primitive is often the decisive step that transforms a commodity malware infection into a full domain compromise. Prioritize kernel EoP bugs alongside remote-code execution flaws in your vulnerability-management program.

References

Frequently asked questions

What is CVE-2017-0101?
The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
How severe is CVE-2017-0101?
CVE-2017-0101 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-0101 being actively exploited?
Yes. CVE-2017-0101 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-0101?
CVE-2017-0101 primarily affects Microsoft Windows 7. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-0101?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-0101 have an EU (EUVD) identifier?
Yes. CVE-2017-0101 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0468. It is also flagged as exploited in the EUVD (since 2022-03-15).
When was CVE-2017-0101 published?
CVE-2017-0101 was published on 2017-03-17 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Windows 7

All CVEs affecting Microsoft Windows 7 →

Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities

Browse all CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities →