CVE-2024-30088
CVE-2024-30088 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-10-15). The underlying weakness is classified as CWE-367.
Key facts
- Severity: High (CVSS 3.x base score 7.0)
- EPSS exploit prediction: 68% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-10-15)
- EU (EUVD) id: EUVD-2024-28025
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-10-15)
- Weakness: CWE-367
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30088: Windows Kernel Time-of-Check Time-of-Use Race Condition Enabling Local Privilege Escalation
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2024-30088 is a privilege-escalation vulnerability in the Windows kernel. A low-privileged local attacker can exploit a race condition to gain elevated privileges. Microsoft has patched this flaw; CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 15 October 2024, and the EU Cybersecurity Agency lists it as actively exploited since the same date.
Background
The vulnerability resides in a Windows kernel component where resource-state validation and subsequent use are not performed atomically. This class of issue is notoriously difficult to detect in code review because the vulnerable window may be extremely narrow and dependent on system scheduling. Windows kernel-mode code is trusted to enforce security boundaries between user sessions and privilege levels; a flaw here undermines that trust.
Root Cause
The underlying weakness is CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition. The kernel validates a resource property (for example, a handle or pointer) and then operates on that resource in a separate step. If an attacker can change the resource between the check and the use, the kernel may operate on attacker-controlled data. In this case, the race condition leads to an out-of-bounds or type-confusion scenario that the attacker leverages to elevate privileges.
Impact
Microsoft assigned this vulnerability a CVSS v3.1 score of 7.0 (HIGH) with the vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
- Attack Vector (AV): Local — The attacker must already have local access to the system.
- Attack Complexity (AC): High — Successful exploitation requires winning a race condition, which is non-trivial.
- Privileges Required (PR): Low — The attacker needs only a low-privileged local account.
- User Interaction (UI): None — No user action is needed.
- Scope (S): Unchanged — The vulnerable component does not impact resources beyond its security scope.
- Confidentiality, Integrity, and Availability (C/I/A): High — Successful exploitation grants the attacker complete control over the affected system.
The EPSS score is 0.68202 (99.243rd percentile), indicating a very high probability of active exploitation in the wild.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive and detection purposes only. It describes the conceptual attack path without providing weaponized code.
An attacker with low-privileged local access prepares a multi-threaded execution environment. One thread repeatedly triggers the vulnerable kernel path while another thread manipulates the shared resource (for example, swapping a handle or rewriting a structure in user memory mapped into the kernel). The goal is to land the race window such that the kernel dereferences or operates on attacker-controlled data. Because the vulnerability is in kernel mode, successful exploitation typically yields execution in ring 0, allowing the attacker to overwrite process tokens and escalate to SYSTEM. The high attack-complexity rating reflects the number of attempts and precise timing required, not impossibility — the KEV and EU exploitation confirmations prove it is being achieved.
Affected and Patched Versions
Microsoft has confirmed that the following product lines are affected:
- Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Windows 11 (versions 21H2, 22H2, 23H2)
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022 (including 23H2)
Exact patched build numbers are available in the Microsoft Security Response Center (MSRC) advisory. Organizations should verify they are running a build released on or after the June 2024 Patch Tuesday cycle.
Remediation
- Apply the security update from Microsoft as soon as possible. This vulnerability is being actively exploited; delay increases risk.
- Enable automatic updates for Windows systems to reduce patch lag.
- Apply the principle of least privilege — restrict local interactive logon to only those users who require it.
- Enable Credential Guard and other Windows hardening features to limit the value of SYSTEM-level compromise.
- Review and restrict execution of untrusted code on endpoints to reduce the attack surface for low-privileged initial access.
Detection
- Monitor for unexpected privilege-escalation events (e.g., processes running as SYSTEM spawned from low-integrity contexts).
- Use ETW (Event Tracing for Windows) telemetry to capture kernel object-handle manipulations around the vulnerable component.
- Look for suspicious multi-threaded processes exhibiting high CPU in kernel mode combined with repeated system-call patterns.
- Correlate endpoint telemetry with the CISA KEV and EUVD-2024-28025 entries to prioritize alerts.
Assessment
This vulnerability is a textbook example of why TOCTOU flaws in kernel code are so dangerous: a single scheduling coincidence can collapse the entire system security boundary. The EPSS score of 0.68 and confirmed presence on both the CISA KEV catalog and the EU exploited-vulnerabilities list make this a clear patch-now priority. Two lessons stand out:
- Atomic operations matter. Validation and use should occur within a single atomic context whenever feasible; where that is impossible, defensive copying or reference counting should be employed.
- Patch velocity is a security control. The gap between patch release and confirmed in-the-wild exploitation here was only months; organizations with sluggish patching cycles were exposed to a known, actively exploited high-impact vulnerability.
References
Frequently asked questions
- What is CVE-2024-30088?
- Windows Kernel Elevation of Privilege Vulnerability
- How severe is CVE-2024-30088?
- CVE-2024-30088 has a CVSS 3.x base score of 7.0, rated high severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-30088 being actively exploited?
- Yes. CVE-2024-30088 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-10-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-30088?
- CVE-2024-30088 primarily affects Microsoft Windows 10 1507. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-30088?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-30088 have an EU (EUVD) identifier?
- Yes. CVE-2024-30088 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-28025. It is also flagged as exploited in the EUVD (since 2024-10-15).
- When was CVE-2024-30088 published?
- CVE-2024-30088 was published on 2024-06-11 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-30088
Affected products (13)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) vulnerabilities
- CVE-2026-25641 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a…
- CVE-2025-64180 — Critical (CVSS 10.0): Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical…
- CVE-2025-34027 — Critical (CVSS 10.0): The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy…
- CVE-2026-25052 — Critical (CVSS 9.9): n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file…
- CVE-2025-13032 — Critical (CVSS 9.9): Double fetch in sandbox kernel driver in Avast/AVG Antivirus <25.3 on windows allows local attacker to escalate…
- CVE-2026-53838 — Critical (CVSS 9.8): OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes…
Browse all CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) vulnerabilities →