CVE-2024-21338

CVE-2024-21338 is a high-severity vulnerability in Microsoft Windows 10 1809 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-03-04). The underlying weakness is classified as CWE-822.

Key facts

Description

Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21338: Windows Kernel Untrusted Pointer Dereference Enables Local Privilege Escalation to SYSTEM

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2024-21338 is a Windows kernel elevation-of-privilege vulnerability caused by an untrusted pointer dereference (CWE-822). A low-privileged local attacker can exploit the flaw to execute arbitrary code in kernel mode, obtaining SYSTEM-level privileges. The vulnerability carries a CVSS 3.1 score of 7.8 and has been actively exploited in the wild since at least March 2024, with confirmed use by the Lazarus advanced persistent threat (APT) group to deploy the FUDModule rootkit. It is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog and has a high EPSS probability of 0.51865, indicating a near-certain likelihood of exploitation in the wild.

Background

On 13 February 2024, Microsoft disclosed CVE-2024-21338 as part of its monthly Patch Tuesday release. The vulnerability resides in the Windows kernel and allows a local attacker with low-level privileges to escalate to kernel execution. By February 2024, researchers at Avast had already observed the vulnerability being exploited as a zero-day by the North Korean Lazarus APT group, who leveraged it to bypass kernel-driver signature enforcement and deploy the FUDModule BYOVD (Bring Your Own Vulnerable Driver) rootkit. The combination of low exploitation complexity, high impact, and confirmed in-the-wild use makes this one of the most significant Windows local privilege escalation vulnerabilities of 2024.

Root Cause

CWE-822: Untrusted Pointer Dereference

The vulnerability stems from the Windows kernel improperly validating a pointer supplied from user mode before dereferencing it. When a system call or IOCTL path accepts a pointer from a low-integrity process without adequate sanitization—such as checking whether the pointer resides in user address space or verifying its alignment and bounds—the kernel can be induced to read from or write to an attacker-controlled memory location. This effectively gives the caller the ability to manipulate kernel memory directly. In the case of CVE-2024-21338, the specific kernel component involved failed to apply modern pointer-hardening checks (e.g., ProbeForRead/ProbeForWrite or ARM64/x86 Memory Manager page-table protections), resulting in a reliable local privilege escalation primitive.

Impact

CVSS 3.1: 7.8 (HIGH) — Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  • Attack Vector (AV): Local — the attacker must already have code execution on the target host.
  • Attack Complexity (AC): Low — no special conditions or race conditions are required to trigger the vulnerability successfully.
  • Privileges Required (PR): Low — a standard user account is sufficient; administrative or SYSTEM access is not needed.
  • User Interaction (UI): None — the exploit can run without any action from a legitimate user.
  • Scope (S): Unchanged — the vulnerable component does not affect resources beyond its own security boundary.
  • Confidentiality (C), Integrity (I), Availability (A): All HIGH — successful exploitation yields full kernel-level control, enabling unrestricted data access, tampering, and denial of service.

The ransomware flag and KEV listing confirm that exploitation is not merely theoretical; it has been observed in campaigns targeting real-world organizations.

Exploitation Walkthrough

Ethics Notice: This section describes the defensive perspective and high-level mechanics of exploitation. It does not provide weaponized code, byte-level offsets, or step-by-step instructions that could be used to build a working exploit. Defenders should understand these mechanics to prioritize detection and mitigation.

An attacker who has already gained a foothold on a Windows endpoint—typically through phishing, malware dropper, or initial access broker tooling—can trigger the vulnerable kernel path by passing a malformed or attacker-controlled pointer via a legitimate system interface. The kernel dereferences the pointer without proper validation, resulting in a controlled read/write primitive inside kernel memory. From there, the attacker typically:

  1. Overwrites a process token or a system-call pointer in kernel memory to elevate the current process to SYSTEM privileges.
  2. Disables security controls such as PatchGuard or driver signature enforcement (DSE) by patching kernel variables.
  3. Loads an unsigned or attacker-controlled driver (e.g., the FUDModule rootkit) to establish persistent, stealthy kernel-level access.

Defensive teams should focus on detecting the post-exploitation behaviors—such as unexpected kernel driver loads, token-impersonation events, and DSE tampering—rather than attempting to catch the single malformed pointer dereference itself, which can be difficult to observe from user-mode telemetry.

Affected and Patched Versions

Affected products (per CPE data):

  • Microsoft Windows 10 Version 1809
  • Microsoft Windows 10 Version 21H2
  • Microsoft Windows 10 Version 22H2
  • Microsoft Windows 11 Version 21H2
  • Microsoft Windows 11 Version 22H2
  • Microsoft Windows 11 Version 23H2
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 2022 Version 23H2

Microsoft released security updates on 13 February 2024 (Patch Tuesday) addressing this vulnerability across all supported Windows 10, Windows 11, and Windows Server editions. Organizations running end-of-life versions (e.g., Windows 10 1809 without Extended Security Updates) should treat the absence of a patch as an exposure requiring compensating controls.

Remediation

  1. Apply Microsoft patches immediately. Install the February 2024 (or later) cumulative updates for all affected Windows and Windows Server versions. Prioritize domain controllers, privileged-access workstations, and endpoints with high-value data.
  2. Remove end-of-life systems. Windows 10 versions that no longer receive mainstream support should be upgraded to a supported release or placed under Extended Security Updates (ESU) if eligible.
  3. Enforce least-privilege and application control. Ensure standard users do not have local administrator rights. Deploy Windows Defender Application Control (WDAC) or AppLocker to block untrusted executables from running in the first place, reducing the attacker's ability to reach the vulnerability.
  4. Enable Credential Guard and virtualization-based security (VBS). While these do not patch the flaw, they raise the cost of post-exploitation by isolating credential material and kernel-mode code integrity.
  5. Restrict driver installation. Configure Device Guard or Kernel-mode Code Integrity (KMCI) policies to allow only explicitly approved drivers, blocking BYOVD rootkits such as FUDModule from loading even after a successful privilege escalation.

Detection

  • Endpoint Detection and Response (EDR): Monitor for suspicious NtLoadDriver or SeLoadDriverPrivilege usage from non-administrative processes. Alert on kernel driver loads that lack a valid Microsoft signature or that match known BYOVD rootkit driver hashes.
  • Windows Event Logs: Track Event ID 7045 (service installation) and Event ID 6 (driver load) from Sysmon. Correlate with process-create events from low-integrity user directories (\Users\*\AppData\Local\Temp\*, \Users\*\Downloads\*).
  • Memory Forensics: Volatility or MemProcFS scans can reveal patched system call tables, hooked interrupt dispatch routines, or the presence of the FUDModule rootkit memory regions.
  • EPSS/Threat-Intel Feeds: Maintain an EPSS threshold above 0.4 for KEV-tracked CVEs. Automate vulnerability-priority workflows so that any endpoint missing the February 2024 patch for CVE-2024-21338 is escalated for immediate remediation.

Assessment

CVE-2024-21338 sits at the intersection of high EPSS probability (0.51865, 98.8th percentile), confirmed KEV status, and real-world APT exploitation. The fact that Lazarus weaponized it as a zero-day to deploy a rootkit underscores that nation-state actors actively seek kernel privilege escalation primitives to bypass modern endpoint protections. The vulnerability is also straightforward to exploit (AC:Low, PR:Low, UI:None), meaning any commodity malware or ransomware operator can integrate the public technique once details are available.

Key lessons:

  1. Pointer-hardening gaps are critical. Kernel code paths that accept user-supplied pointers must enforce rigorous validation. Defensive coding standards (e.g., ProbeForRead, ProbeForWrite, hardened user-kernel copy routines) should be mandatory for all new kernel drivers and system calls.
  2. Patch latency matters more than CVSS alone. The KEV listing and EPSS score should override slower risk-based patching cycles. Organizations that delayed February 2024 patches exposed themselves to a vulnerability already under active exploitation by a state-sponsored group.

References

Frequently asked questions

What is CVE-2024-21338?
Windows Kernel Elevation of Privilege Vulnerability
How severe is CVE-2024-21338?
CVE-2024-21338 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-21338 being actively exploited?
Yes. CVE-2024-21338 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-03-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-21338?
CVE-2024-21338 primarily affects Microsoft Windows 10 1809. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-21338?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-21338 have an EU (EUVD) identifier?
Yes. CVE-2024-21338 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19050. It is also flagged as exploited in the EUVD (since 2024-03-04).
When was CVE-2024-21338 published?
CVE-2024-21338 was published on 2024-02-13 and last updated on 2026-06-17.

References

Affected products (9)

More vulnerabilities in Microsoft Windows 10 1809

All CVEs affecting Microsoft Windows 10 1809 →

Other CWE-822 vulnerabilities

Browse all CWE-822 vulnerabilities →