CVE-2024-21338
CVE-2024-21338 is a high-severity vulnerability in Microsoft Windows 10 1809 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-03-04). The underlying weakness is classified as CWE-822.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- EPSS exploit prediction: 52% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-03-04)
- EU (EUVD) id: EUVD-2024-19050
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-03-04)
- Weakness: CWE-822
- Affected product: Microsoft Windows 10 1809
- Published:
- Last modified:
Description
Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21338: Windows Kernel Untrusted Pointer Dereference Enables Local Privilege Escalation to SYSTEM
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2024-21338 is a Windows kernel elevation-of-privilege vulnerability caused by an untrusted pointer dereference (CWE-822). A low-privileged local attacker can exploit the flaw to execute arbitrary code in kernel mode, obtaining SYSTEM-level privileges. The vulnerability carries a CVSS 3.1 score of 7.8 and has been actively exploited in the wild since at least March 2024, with confirmed use by the Lazarus advanced persistent threat (APT) group to deploy the FUDModule rootkit. It is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog and has a high EPSS probability of 0.51865, indicating a near-certain likelihood of exploitation in the wild.
Background
On 13 February 2024, Microsoft disclosed CVE-2024-21338 as part of its monthly Patch Tuesday release. The vulnerability resides in the Windows kernel and allows a local attacker with low-level privileges to escalate to kernel execution. By February 2024, researchers at Avast had already observed the vulnerability being exploited as a zero-day by the North Korean Lazarus APT group, who leveraged it to bypass kernel-driver signature enforcement and deploy the FUDModule BYOVD (Bring Your Own Vulnerable Driver) rootkit. The combination of low exploitation complexity, high impact, and confirmed in-the-wild use makes this one of the most significant Windows local privilege escalation vulnerabilities of 2024.
Root Cause
CWE-822: Untrusted Pointer Dereference
The vulnerability stems from the Windows kernel improperly validating a pointer supplied from user mode before dereferencing it. When a system call or IOCTL path accepts a pointer from a low-integrity process without adequate sanitization—such as checking whether the pointer resides in user address space or verifying its alignment and bounds—the kernel can be induced to read from or write to an attacker-controlled memory location. This effectively gives the caller the ability to manipulate kernel memory directly. In the case of CVE-2024-21338, the specific kernel component involved failed to apply modern pointer-hardening checks (e.g., ProbeForRead/ProbeForWrite or ARM64/x86 Memory Manager page-table protections), resulting in a reliable local privilege escalation primitive.
Impact
CVSS 3.1: 7.8 (HIGH) — Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Attack Vector (AV): Local — the attacker must already have code execution on the target host.
- Attack Complexity (AC): Low — no special conditions or race conditions are required to trigger the vulnerability successfully.
- Privileges Required (PR): Low — a standard user account is sufficient; administrative or
SYSTEMaccess is not needed. - User Interaction (UI): None — the exploit can run without any action from a legitimate user.
- Scope (S): Unchanged — the vulnerable component does not affect resources beyond its own security boundary.
- Confidentiality (C), Integrity (I), Availability (A): All HIGH — successful exploitation yields full kernel-level control, enabling unrestricted data access, tampering, and denial of service.
The ransomware flag and KEV listing confirm that exploitation is not merely theoretical; it has been observed in campaigns targeting real-world organizations.
Exploitation Walkthrough
Ethics Notice: This section describes the defensive perspective and high-level mechanics of exploitation. It does not provide weaponized code, byte-level offsets, or step-by-step instructions that could be used to build a working exploit. Defenders should understand these mechanics to prioritize detection and mitigation.
An attacker who has already gained a foothold on a Windows endpoint—typically through phishing, malware dropper, or initial access broker tooling—can trigger the vulnerable kernel path by passing a malformed or attacker-controlled pointer via a legitimate system interface. The kernel dereferences the pointer without proper validation, resulting in a controlled read/write primitive inside kernel memory. From there, the attacker typically:
- Overwrites a process token or a system-call pointer in kernel memory to elevate the current process to
SYSTEMprivileges. - Disables security controls such as PatchGuard or driver signature enforcement (DSE) by patching kernel variables.
- Loads an unsigned or attacker-controlled driver (e.g., the FUDModule rootkit) to establish persistent, stealthy kernel-level access.
Defensive teams should focus on detecting the post-exploitation behaviors—such as unexpected kernel driver loads, token-impersonation events, and DSE tampering—rather than attempting to catch the single malformed pointer dereference itself, which can be difficult to observe from user-mode telemetry.
Affected and Patched Versions
Affected products (per CPE data):
- Microsoft Windows 10 Version 1809
- Microsoft Windows 10 Version 21H2
- Microsoft Windows 10 Version 22H2
- Microsoft Windows 11 Version 21H2
- Microsoft Windows 11 Version 22H2
- Microsoft Windows 11 Version 23H2
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
- Microsoft Windows Server 2022 Version 23H2
Microsoft released security updates on 13 February 2024 (Patch Tuesday) addressing this vulnerability across all supported Windows 10, Windows 11, and Windows Server editions. Organizations running end-of-life versions (e.g., Windows 10 1809 without Extended Security Updates) should treat the absence of a patch as an exposure requiring compensating controls.
Remediation
- Apply Microsoft patches immediately. Install the February 2024 (or later) cumulative updates for all affected Windows and Windows Server versions. Prioritize domain controllers, privileged-access workstations, and endpoints with high-value data.
- Remove end-of-life systems. Windows 10 versions that no longer receive mainstream support should be upgraded to a supported release or placed under Extended Security Updates (ESU) if eligible.
- Enforce least-privilege and application control. Ensure standard users do not have local administrator rights. Deploy Windows Defender Application Control (WDAC) or AppLocker to block untrusted executables from running in the first place, reducing the attacker's ability to reach the vulnerability.
- Enable Credential Guard and virtualization-based security (VBS). While these do not patch the flaw, they raise the cost of post-exploitation by isolating credential material and kernel-mode code integrity.
- Restrict driver installation. Configure
Device GuardorKernel-mode Code Integrity (KMCI)policies to allow only explicitly approved drivers, blocking BYOVD rootkits such as FUDModule from loading even after a successful privilege escalation.
Detection
- Endpoint Detection and Response (EDR): Monitor for suspicious
NtLoadDriverorSeLoadDriverPrivilegeusage from non-administrative processes. Alert on kernel driver loads that lack a valid Microsoft signature or that match known BYOVD rootkit driver hashes. - Windows Event Logs: Track Event ID 7045 (service installation) and Event ID 6 (driver load) from Sysmon. Correlate with process-create events from low-integrity user directories (
\Users\*\AppData\Local\Temp\*,\Users\*\Downloads\*). - Memory Forensics: Volatility or MemProcFS scans can reveal patched system call tables, hooked interrupt dispatch routines, or the presence of the FUDModule rootkit memory regions.
- EPSS/Threat-Intel Feeds: Maintain an EPSS threshold above 0.4 for KEV-tracked CVEs. Automate vulnerability-priority workflows so that any endpoint missing the February 2024 patch for CVE-2024-21338 is escalated for immediate remediation.
Assessment
CVE-2024-21338 sits at the intersection of high EPSS probability (0.51865, 98.8th percentile), confirmed KEV status, and real-world APT exploitation. The fact that Lazarus weaponized it as a zero-day to deploy a rootkit underscores that nation-state actors actively seek kernel privilege escalation primitives to bypass modern endpoint protections. The vulnerability is also straightforward to exploit (AC:Low, PR:Low, UI:None), meaning any commodity malware or ransomware operator can integrate the public technique once details are available.
Key lessons:
- Pointer-hardening gaps are critical. Kernel code paths that accept user-supplied pointers must enforce rigorous validation. Defensive coding standards (e.g.,
ProbeForRead,ProbeForWrite, hardened user-kernel copy routines) should be mandatory for all new kernel drivers and system calls. - Patch latency matters more than CVSS alone. The KEV listing and EPSS score should override slower risk-based patching cycles. Organizations that delayed February 2024 patches exposed themselves to a vulnerability already under active exploitation by a state-sponsored group.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
- https://packetstorm.news/files/id/190586/
- https://www.exploit-db.com/exploits/52275
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21338
Frequently asked questions
- What is CVE-2024-21338?
- Windows Kernel Elevation of Privilege Vulnerability
- How severe is CVE-2024-21338?
- CVE-2024-21338 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-21338 being actively exploited?
- Yes. CVE-2024-21338 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-03-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-21338?
- CVE-2024-21338 primarily affects Microsoft Windows 10 1809. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-21338?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-21338 have an EU (EUVD) identifier?
- Yes. CVE-2024-21338 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19050. It is also flagged as exploited in the EUVD (since 2024-03-04).
- When was CVE-2024-21338 published?
- CVE-2024-21338 was published on 2024-02-13 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
- https://packetstorm.news/files/id/190586/
- https://www.exploit-db.com/exploits/52275
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21338
Affected products (9)
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1809
- CVE-2025-49708 — Critical (CVSS 9.9): Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.
- CVE-2026-47291 — Critical (CVSS 9.8): Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
- CVE-2026-44815 — Critical (CVSS 9.8): Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-33824 — Critical (CVSS 9.8): Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
- CVE-2025-60724 — Critical (CVSS 9.8): Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a…
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
All CVEs affecting Microsoft Windows 10 1809 →
Other CWE-822 vulnerabilities
- CVE-2025-50165 — Critical (CVSS 9.8): Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a…
- CVE-2023-1437 — Critical (CVSS 9.8): All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments…
- CVE-2026-48137 — Critical (CVSS 9.1): There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an…
- CVE-2025-4993 — Critical (CVSS 9.1): Untrusted Pointer Dereference vulnerability in RTI Connext Professional (Core Libraries) allows Pointer…
- CVE-2025-1255 — Critical (CVSS 9.1): Untrusted Pointer Dereference vulnerability in RTI Connext Professional (Core Libraries) allows Pointer…
- CVE-2024-36461 — Critical (CVSS 9.1): Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine.