Skip to content

Case Studies

Driver Type → Attack Surface → Vuln Class → Primitive → Case Study

This is the core of KernelSight: 134 real-world Windows kernel CVEs, dissected from root cause through exploitation to patch. Every entry connects the full pipeline together, showing how a driver type exposes an attack surface, which harbors a vulnerability class, which yields a primitive, which becomes a chain to SYSTEM.

The corpus is not just a reference list. It is a structured dataset built for pattern recognition. Researchers studying CLFS will find twelve entries spanning four years and five distinct bug classes, revealing how Microsoft's incremental fixes kept leaving adjacent parsing logic unpatched. Those tracking BYOVD trends will find 41 third-party driver case studies documenting the shift from arbitrary R/W primitives (2019-2023) to process termination as the dominant abuse pattern (2024-2026). And anyone building detection will find YARA rules, ETW indicators, behavioral signatures, and AutoPiff rules attached to the entries where they matter most.

Fifty-two of these CVEs were exploited in the wild. Three of them were zero-days when patched. The dataset covers 62 unique drivers, from first-party Microsoft kernel components to obscure vendor utilities that threat actors have turned into weapons.

Browse by CVE, by driver, or by exploitation status below.

CVE Index

CVE Driver Class ITW Build (Vuln / Fix)
CVE-2026-21519 dwmcore.dll Type Confusion Yes
CVE-2026-21533 Remote Desktop Services Elevation of Privilege Yes
CVE-2026-21253 msfs.sys Use-After-Free No
CVE-2026-21231 ntoskrnl.exe Race Condition Yes
CVE-2026-20922 ntfs.sys Buffer Overflow (Heap) No
CVE-2026-20876 VBS Enclave Buffer Overflow (Heap) No
CVE-2026-20857 cldflt.sys Elevation of Privilege No
CVE-2026-20842 dwmcore.dll Elevation of Privilege No
CVE-2026-20840 ntfs.sys Buffer Overflow (Heap) No
CVE-2026-20822 win32kfull.sys Use-After-Free No
CVE-2026-20820 clfs.sys Buffer Overflow (Heap) No
CVE-2026-20814 dxgkrnl.sys Elevation of Privilege No
CVE-2026-2636 clfs.sys Denial of Service No
CVE-2025-62221 cldflt.sys Use-After-Free Yes
CVE-2025-64680 dwmcore.dll Buffer Overflow (Heap) No
CVE-2025-64673 storvsp.sys Elevation of Privilege No
CVE-2025-62470 clfs.sys Buffer Overflow (Heap) No
CVE-2025-62458 win32k.sys Elevation of Privilege No
CVE-2025-62457 cldflt.sys Out-of-Bounds Read No
CVE-2025-62454 cldflt.sys Elevation of Privilege No
CVE-2025-62217 afd.sys Elevation of Privilege No
CVE-2025-62213 afd.sys Use-After-Free No
CVE-2025-62215 ntoskrnl.exe Race Condition / Double-Free Yes
CVE-2025-60719 afd.sys Use-After-Free / Race Condition No
CVE-2025-60709 clfs.sys Out-of-Bounds Read No
CVE-2025-59254 dwmcore.dll Elevation of Privilege No
CVE-2025-59230 rasman.sys Elevation of Privilege Yes
CVE-2025-58722 dwmcore.dll Elevation of Privilege No
CVE-2025-55681 dwmcore.dll Out-of-Bounds Access No
CVE-2025-55680 cldflt.sys Race Condition / TOCTOU No
CVE-2025-55228 win32k.sys Race Condition No
CVE-2025-54916 ntfs.sys Buffer Overflow (Stack) No
CVE-2025-54110 ntoskrnl.exe Integer Overflow No
CVE-2025-53804 ntoskrnl.exe Information Disclosure No
CVE-2025-53803 ntoskrnl.exe Information Disclosure No
CVE-2025-53718 afd.sys Use-After-Free No
CVE-2025-53149 ksthunk.sys Buffer Overflow (Heap) No
CVE-2025-53147 afd.sys Use-After-Free No
CVE-2025-49762 afd.sys Race Condition No
CVE-2025-49733 win32k.sys Use-After-Free No
CVE-2025-49675 ksthunk.sys Use-After-Free No
CVE-2025-49667 win32k.sys Double Free No
CVE-2025-49661 afd.sys Untrusted Pointer Dereference No
CVE-2025-47982 storvsp.sys Improper Input Validation No
CVE-2025-32722 storport.sys Information Disclosure No
CVE-2025-32713 clfs.sys Buffer Overflow (Heap) No
CVE-2025-32709 afd.sys Use-After-Free Yes
CVE-2025-32706 clfs.sys Buffer Overflow (Heap) Yes
CVE-2025-32701 clfs.sys Use-After-Free Yes
CVE-2025-30400 dwmcore.dll Use-After-Free Yes
CVE-2025-29829 Trusted Runtime Interface Information Disclosure No
CVE-2025-29824 clfs.sys Use-After-Free / Logic Bug Yes 10.0.26100.3476 / 10.0.26100.3775
CVE-2025-27732 win32k.sys Improper Memory Locking No
CVE-2025-24993 ntfs.sys Buffer Overflow / Bounds Check Yes 10.0.22621.4830 / 10.0.22621.4890
CVE-2025-24992 ntfs.sys Information Disclosure No
CVE-2025-24991 ntfs.sys Information Disclosure (OOB Read) Yes
CVE-2025-24985 fastfat.sys Integer Overflow Yes 10.0.22621.4830 / 10.0.22621.5037
CVE-2025-24984 ntfs.sys Information Disclosure Yes
CVE-2025-24983 win32k.sys Use-After-Free / Race Condition Yes
CVE-2025-24990 ltmdm64.sys Untrusted Pointer Dereference Yes
CVE-2025-24066 ks.sys Buffer Overflow (Heap) No
CVE-2025-24067 mskssrv.sys Buffer Overflow (Heap) No
CVE-2025-24063 ks.sys Buffer Overflow (Heap) No
CVE-2025-24058 dwmcore.dll Improper Input Validation No
CVE-2025-24052 ltmdm64.sys Buffer Overflow (Stack) No
CVE-2025-24044 win32k.sys Use-After-Free No
CVE-2025-24046 ks.sys Double Free No
CVE-2025-21418 afd.sys Buffer Overflow (Heap) Yes
CVE-2025-21367 win32k.sys Race Condition No
CVE-2025-21334 vkrnlintvsp.sys Use-After-Free Yes
CVE-2025-21335 vkrnlintvsp.sys Use-After-Free Yes
CVE-2025-21333 vsp.sys Buffer Overflow Yes 10.0.26100.2605 / 10.0.26100.2894
CVE-2024-55414 smserl64.sys Physical Memory Mapping No
CVE-2024-49138 clfs.sys Buffer Overflow / Bounds Check Yes 10.0.22621.4541 / 10.0.22621.4601
CVE-2024-49114 cldflt.sys Buffer Overflow No 10.0.22621.4460 / 10.0.22621.4602
CVE-2024-38256 win32k.sys Information Disclosure No 10.0.22621.3958 / 10.0.22621.4169
CVE-2024-38238 ksthunk.sys MDL Handling No 10.0.22621.4036 / 10.0.22621.4169
CVE-2026-21241 afd.sys Use-After-Free / Race Condition No
CVE-2024-38193 afd.sys Use-After-Free / Lifetime Yes 10.0.22621.3672 / 10.0.22621.4036
CVE-2024-38106 ntoskrnl.exe Race Condition / TOCTOU Yes 10.0.22621.3958 / 10.0.22621.4169
CVE-2024-38063 tcpip.sys Integer Overflow No 10.0.22621.3958 / 10.0.22621.4036
CVE-2024-38054 ksthunk.sys IOCTL Hardening No 10.0.22621.3733 / 10.0.22621.3880
CVE-2024-35250 ks.sys IOCTL Hardening Yes 10.0.22621.3672 / 10.0.22621.3733
CVE-2024-30089 mskssrv.sys Use-After-Free / Lifetime No 10.0.22621.2506 / 10.0.22621.3733
CVE-2024-30088 ntoskrnl.exe Race Condition / TOCTOU Yes 10.0.22621.3672 / 10.0.22621.3733
CVE-2024-30085 cldflt.sys Buffer Overflow / Bounds Check No 10.0.22621.3672 / 10.0.22621.3733
CVE-2024-26229 csc.sys Authorization / Access Check No 10.0.22621.1 / 10.0.22621.3447
CVE-2024-21338 appid.sys IOCTL Hardening Yes 10.0.22621.2506 / 10.0.22621.3155
CVE-2024-21302 ntoskrnl.exe State Hardening No 10.0.22621.3958 / 10.0.22621.4169
CVE-2023-36802 mskssrv.sys Type Confusion Yes 10.0.22621.1848 / 10.0.22621.2283
CVE-2023-36424 clfs.sys Pool Hardening No 10.0.22621.2506 / 10.0.22621.2715
CVE-2023-36036 cldflt.sys Buffer Overflow / Bounds Check Yes 10.0.22621.2506 / 10.0.22621.2715
CVE-2023-32019 ntoskrnl.exe Information Disclosure No 10.0.22621.1702 / 10.0.22621.1848
CVE-2023-31096 agrsm64.sys Buffer Overflow (Stack) No
CVE-2023-29360 mskssrv.sys MDL Handling No 10.0.22621.1702 / 10.0.22621.1848
CVE-2023-29336 win32kfull.sys Object Management Yes 10.0.22621.1555 / 10.0.22621.1635
CVE-2023-28252 clfs.sys Buffer Overflow / Bounds Check Yes 10.0.22621.1265 / 10.0.22621.1555
CVE-2023-28218 afd.sys Integer Overflow No 10.0.22621.1344 / 10.0.22621.1555
CVE-2023-21768 afd.sys User Boundary Validation No 10.0.22621.608 / 10.0.22621.1105
CVE-2022-37969 clfs.sys Buffer Overflow / Bounds Check Yes 10.0.22621.1 / 10.0.22621.521
CVE-2022-21907 http.sys String Handling No 10.0.22621.1 / 10.0.22621.382
CVE-2022-21882 win32kbase.sys Type Confusion Yes 10.0.22621.1 / 10.0.22621.382

Third-Party Drivers

Vendor Utility Drivers

CVE / ID Driver Vendor Class ITW Status
CVE-2021-21551 DBUtil_2_3.sys Dell Arbitrary R/W Yes Blocklisted
CVE-2019-16098 RTCore64.sys MSI Arbitrary R/W Yes Blocklisted
CVE-2018-19320 gdrv.sys Gigabyte Arbitrary R/W Yes Blocklisted
CVE-2015-2291 iqvw64e.sys Intel Arbitrary R/W Yes Blocklisted
CVE-2020-15368 HW.sys Marvin Test Arbitrary R/W Yes Blocklisted
CVE-2022-3699 LenovoDiagnosticsDriver.sys Lenovo Arbitrary R/W Yes Blocklisted
CVE-2019-18845 Viper RGB driver Patriot Arbitrary R/W No Withdrawn
CVE-2019-8372 LG LSB driver LG Arbitrary Write No Withdrawn
CVE-2023-41444 iREC.sys iREC Arbitrary R/W No Still loadable
CVE-2025-45737 NeacController.sys NEAC Arbitrary R/W No Still loadable
ATSZIO64.sys ATSZIO64.sys ASUS Arbitrary R/W Yes Blocklisted
CVE-2025-1533 AsIO3.sys ASUS Stack Overflow No Blocklisted
CVE-2025-3464 AsIO3.sys ASUS Auth Bypass / Arb Decrement No Blocklisted
AsIO3.sys AsIO3.sys ASRock/ASUS Arbitrary R/W Yes Blocklisted
CVE-2023-1048 WinRing0x64.sys OpenLibSys / TechPowerUp / Razer / many MSR Write / Phys Mem R/W Yes Blocklisted
CVE-2023-1676 mydrivers64.sys DriverGenius MSR Write / Phys Mem R/W No Still loadable
CVE-2025-0285 BioNTdrv.sys Paragon Arb Memory Mapping No Blocklisted
CVE-2025-0286 BioNTdrv.sys Paragon Arb Kernel Write No Blocklisted
CVE-2025-0287 BioNTdrv.sys Paragon Null Pointer Deref No Blocklisted
CVE-2025-0288 BioNTdrv.sys Paragon Arb Kernel Write No Blocklisted
CVE-2025-0289 BioNTdrv.sys Paragon Arb Kernel Write Yes Blocklisted
CVE-2025-8061 LnvMSRIO.sys Lenovo MSR R/W / Phys Mem R/W No Patched

Performance & GPU Drivers

CVE / ID Driver Vendor Class ITW Status
CVE-2020-12928 AMDRyzenMasterDriver.sys AMD Arbitrary R/W No Patched
CVE-2023-20598 AMD chipset driver AMD Info Disclosure No Patched
CVE-2025-7771 ThrottleStop.sys ThrottleStop MSR Write Yes Blocklisted
NVDrv nvlddmkm.sys NVIDIA GPU Memory R/W No Still loadable

Anti-Cheat & Security Product Drivers

CVE / ID Driver Vendor Class ITW Status
Capcom.sys Capcom.sys Capcom Ring-0 Code Exec Yes Withdrawn / Blocklisted
echo_driver.sys echo_driver.sys Echo AC Callback Manipulation No Still loadable
viragt64.sys viragt64.sys TG Soft Process Termination Yes Blocklisted
Truesight.sys Truesight.sys Adlice EDR Bypass Yes Blocklisted
amsdk.sys amsdk.sys WatchDog Process Termination Yes Blocklisted
CVE-2025-68947 NSecKrnl.sys NsecSoft Process Termination Yes Under active abuse
CVE-2025-61156 TfSysMon.sys ThreatFire Process Termination Yes Under active abuse
CVE-2025-52915 K7RKScan.sys K7 Computing Process Termination No Still loadable
CVE-2025-1055 K7RKScan.sys K7 Computing Elevation of Privilege No Still loadable
CVE-2025-70795 STProcessMonitor.sys Safetica Process Termination No Still loadable
CVE-2025-11156 epdlpdrv.sys Netskope Null Pointer Deref / DoS No Patched
CVE-2025-5942 epdlpdrv.sys Netskope Heap Overflow / DoS No Patched
CVE-2024-11616 epdlpdrv.sys Netskope Double-Fetch (TOCTOU) No Patched
CVE-2024-51324 BdApiUtil.sys Baidu Process Termination Yes Still loadable
EnPortv.sys EnPortv.sys Guidance/OpenText Process Termination Yes Revoked cert, still loads

By Driver

afd.sys

  • CVE-2023-21768 -- AFD WinSock -- missing ProbeForWrite allows kernel write-what-where via IO ring
  • CVE-2023-28218 -- AFD WinSock -- integer overflow in AfdCopyCMSGBuffer allows EoP
  • CVE-2024-38193 -- AFD -- use-after-free race on Registered I/O buffers allows EoP
  • CVE-2025-21418 -- AFD -- heap-based buffer overflow allows SYSTEM escalation
  • CVE-2025-32709 -- AFD -- use-after-free after socket closure allows SYSTEM escalation
  • CVE-2025-49661 -- AFD -- untrusted pointer dereference allows EoP
  • CVE-2025-49762 -- AFD -- race condition allows EoP
  • CVE-2025-53147 -- AFD -- use-after-free allows EoP
  • CVE-2025-53718 -- AFD -- use-after-free allows EoP
  • CVE-2025-60719 -- AFD -- use-after-free from race between socket unbind and concurrent operations
  • CVE-2025-62213 -- AFD -- use-after-free allows EoP
  • CVE-2025-62217 -- AFD -- elevation of privilege
  • CVE-2026-21241 -- AFD -- race condition in AfdNotifyPostEvents spinlock release causes use-after-free EoP

appid.sys

  • CVE-2024-21338 -- AppLocker -- IOCTL 0x22A018 missing access control allows kernel code execution

cldflt.sys

  • CVE-2023-36036 -- Cloud Files Mini Filter -- heap overflow via crafted reparse data
  • CVE-2024-30085 -- Cloud Files Mini Filter -- missing size check before memcpy leads to heap overflow
  • CVE-2024-49114 -- Cloud Files Mini-Filter -- elevation of privilege via buffer overflow
  • CVE-2025-55680 -- Cloud Files Mini Filter -- race condition / TOCTOU allows EoP
  • CVE-2025-62221 -- Cloud Files Mini Filter -- use-after-free allows SYSTEM escalation
  • CVE-2025-62454 -- Cloud Files Mini Filter -- elevation of privilege
  • CVE-2025-62457 -- Cloud Files Mini Filter -- out-of-bounds read
  • CVE-2026-20857 -- Cloud Files Mini Filter -- elevation of privilege

clfs.sys

  • CVE-2022-37969 -- Common Log File System -- SignaturesOffset OOB write via corrupted cbSymbolZone
  • CVE-2023-28252 -- Common Log File System -- OOB write via corrupted base log offset
  • CVE-2023-36424 -- Common Log File System -- pool overflow from unvalidated reparse data
  • CVE-2024-49138 -- Common Log File System -- heap overflow in LoadContainerQ allows EoP
  • CVE-2025-29824 -- Common Log File System -- elevation of privilege via log file metadata corruption
  • CVE-2025-32701 -- Common Log File System -- use-after-free in log stream object allows SYSTEM escalation
  • CVE-2025-32706 -- Common Log File System -- heap buffer overflow from missing input validation
  • CVE-2025-32713 -- Common Log File System -- heap buffer overflow allows EoP
  • CVE-2025-60709 -- Common Log File System -- out-of-bounds read
  • CVE-2025-62470 -- Common Log File System -- heap buffer overflow allows EoP
  • CVE-2026-20820 -- Common Log File System -- heap buffer overflow allows EoP
  • CVE-2026-2636 -- Common Log File System -- denial of service

csc.sys

  • CVE-2024-26229 -- Client-Side Caching -- missing access check allows EoP

dwmcore.dll

  • CVE-2025-24058 -- Desktop Window Manager -- improper input validation allows EoP
  • CVE-2025-30400 -- Desktop Window Manager -- use-after-free in composition surface handling allows SYSTEM escalation
  • CVE-2025-55681 -- Desktop Window Manager -- out-of-bounds access allows EoP
  • CVE-2025-58722 -- Desktop Window Manager -- elevation of privilege
  • CVE-2025-59254 -- Desktop Window Manager -- elevation of privilege
  • CVE-2025-64680 -- Desktop Window Manager -- heap buffer overflow allows EoP
  • CVE-2026-20842 -- Desktop Window Manager -- elevation of privilege
  • CVE-2026-21519 -- Desktop Window Manager -- type confusion allows SYSTEM escalation

fastfat.sys

  • CVE-2025-24985 -- FAT File System -- cluster count overflow in FAT bitmap allocation allows RCE

http.sys

  • CVE-2022-21907 -- HTTP Protocol Stack -- uninitialized tracker struct via crafted HTTP headers allows RCE

ks.sys

  • CVE-2024-35250 -- Kernel Streaming -- untrusted pointer dereference in IOCTL dispatch allows EoP
  • CVE-2025-24046 -- Kernel Streaming -- double free in filter object handling
  • CVE-2025-24063 -- Kernel Streaming -- heap-based buffer overflow allows EoP
  • CVE-2025-24066 -- Kernel Streaming -- heap-based buffer overflow allows EoP

ksthunk.sys

  • CVE-2024-38054 -- Kernel Streaming WOW64 Thunk -- integer overflow in KSSTREAM_HEADER thunking allows EoP
  • CVE-2024-38238 -- Kernel Streaming WOW64 Thunk -- MmMapLockedPages without MmProbeAndLockPages in frame handling
  • CVE-2025-49675 -- Kernel Streaming WOW64 Thunk -- use-after-free allows EoP
  • CVE-2025-53149 -- Kernel Streaming WOW64 Thunk -- heap-based buffer overflow

mskssrv.sys

  • CVE-2023-29360 -- Kernel Streaming Server -- MmProbeAndLockPages called with KernelMode on user MDL
  • CVE-2023-36802 -- Kernel Streaming Server -- FsContextReg/FsStreamReg object type confusion leads to EoP
  • CVE-2024-30089 -- Kernel Streaming Server -- ref-count logic error causes use-after-free EoP
  • CVE-2025-24067 -- Kernel Streaming Server -- heap-based buffer overflow allows EoP

ntfs.sys

ntoskrnl.exe

  • CVE-2023-32019 -- NT Kernel -- kernel heap memory leak to user process via thread info query
  • CVE-2024-21302 -- NT Kernel -- secure kernel version downgrade bypass via unvalidated version state
  • CVE-2024-30088 -- NT Kernel -- TOCTOU race in AuthzBasepCopyoutInternalSecurityAttributes
  • CVE-2024-38106 -- NT Kernel -- missing lock around VslpEnterIumSecureMode causes race condition EoP
  • CVE-2025-53803 -- NT Kernel -- information disclosure
  • CVE-2025-53804 -- NT Kernel -- information disclosure
  • CVE-2025-54110 -- NT Kernel -- integer overflow allows EoP
  • CVE-2025-62215 -- NT Kernel -- race condition / double-free allows SYSTEM escalation
  • CVE-2026-21231 -- NT Kernel -- race condition allows SYSTEM escalation

vsp.sys

  • CVE-2025-21333 -- Hyper-V Virtual Service Provider -- heap-based buffer overflow

vkrnlintvsp.sys

  • CVE-2025-21334 -- Hyper-V VSP Integration -- use-after-free allows SYSTEM escalation
  • CVE-2025-21335 -- Hyper-V VSP Integration -- use-after-free allows SYSTEM escalation

tcpip.sys

  • CVE-2024-38063 -- TCP/IP stack -- integer underflow in IPv6 packet reassembly allows RCE

win32k.sys

win32kbase.sys

  • CVE-2022-21882 -- Win32k -- ConsoleWindow flag misinterprets WndExtra causing type confusion EoP

win32kfull.sys

  • CVE-2023-29336 -- Win32k -- use-after-free from unlocked nested menu object allows EoP
  • CVE-2026-20822 -- Win32k -- use-after-free allows EoP

rasman.sys

Remote Desktop Services

storvsp.sys

storport.sys

dxgkrnl.sys

msfs.sys

VBS Enclave

Trusted Runtime Interface

  • CVE-2025-29829 -- Trusted Runtime Interface -- information disclosure

agrsm64.sys

  • CVE-2023-31096 -- Broadcom/Archer -- stack buffer overflow allows EoP

smserl64.sys

DBUtil_2_3.sys

RTCore64.sys

  • CVE-2019-16098 -- MSI Afterburner -- physical mem R/W, MSR, I/O port

gdrv.sys

iqvw64e.sys

  • CVE-2015-2291 -- Intel Ethernet diagnostics -- arbitrary R/W via IOCTL

HW.sys

LenovoDiagnosticsDriver.sys

Viper RGB driver

LG LSB driver

iREC.sys

NeacController.sys

ATSZIO64.sys

AsIO3.sys

  • CVE-2025-1533 -- ASUS -- stack overflow in Win32PathToNtPath (MAX_PATH assumption)
  • CVE-2025-3464 -- ASUS -- auth bypass via hardlink, ObfDereferenceObject decrement-by-one, PreviousMode flip, token theft
  • AsIO3.sys -- ASRock/ASUS -- physical mem R/W, SMM

AMDRyzenMasterDriver.sys

AMD chipset driver

ThrottleStop.sys

nvlddmkm.sys

  • NVDrv -- NVIDIA -- GPU memory R/W

Capcom.sys

  • Capcom.sys -- Capcom -- ring-0 code exec, SMEP bypass

echo_driver.sys

viragt64.sys

Truesight.sys

amsdk.sys

  • amsdk.sys -- WatchDog -- process termination

WinRing0x64.sys

  • CVE-2023-1048 -- OpenLibSys -- MSR write, physical memory R/W, I/O port access

mydrivers64.sys

  • CVE-2023-1676 -- DriverGenius -- MSR write (0x9C402088), physical memory R/W (0x9C406104/0x9C40A108)

BioNTdrv.sys

LnvMSRIO.sys

  • CVE-2025-8061 -- Lenovo -- MSR R/W and physical memory R/W via IOCTL

NSecKrnl.sys

  • CVE-2025-68947 -- NsecSoft -- process termination abused for EDR bypass

K7RKScan.sys

BdApiUtil.sys

  • CVE-2024-51324 -- Baidu -- process termination abused for AV/EDR bypass

EnPortv.sys

  • EnPortv.sys -- Guidance/OpenText -- process termination primitive

ltmdm64.sys

  • CVE-2025-24052 -- LiteManager -- stack buffer overflow allows EoP
  • CVE-2025-24990 -- LiteManager -- untrusted pointer dereference allows SYSTEM escalation

TfSysMon.sys

  • CVE-2025-61156 -- ThreatFire -- process termination abused for EDR bypass

STProcessMonitor.sys

epdlpdrv.sys

  • CVE-2024-11616 -- Netskope Endpoint DLP -- double-fetch heap overflow
  • CVE-2025-5942 -- Netskope Endpoint DLP -- heap overflow / DoS
  • CVE-2025-11156 -- Netskope Endpoint DLP -- null pointer dereference / DoS

By Exploitation Status

Exploited in the Wild

  • CVE-2022-21882 -- win32kbase.sys -- Win32k -- ConsoleWindow flag misinterprets WndExtra causing type confusion EoP
  • CVE-2022-37969 -- clfs.sys -- Common Log File System -- SignaturesOffset OOB write via corrupted cbSymbolZone
  • CVE-2023-28252 -- clfs.sys -- Common Log File System -- OOB write via corrupted base log offset
  • CVE-2023-29336 -- win32kfull.sys -- Win32k -- use-after-free from unlocked nested menu object allows EoP
  • CVE-2023-36036 -- cldflt.sys -- Cloud Files Mini Filter -- heap overflow via crafted reparse data
  • CVE-2023-36802 -- mskssrv.sys -- Kernel Streaming Server -- FsContextReg/FsStreamReg object type confusion leads to EoP
  • CVE-2024-21338 -- appid.sys -- AppLocker -- IOCTL 0x22A018 missing access control allows kernel code execution
  • CVE-2024-30088 -- ntoskrnl.exe -- NT Kernel -- TOCTOU race in AuthzBasepCopyoutInternalSecurityAttributes
  • CVE-2024-35250 -- ks.sys -- Kernel Streaming -- untrusted pointer dereference in IOCTL dispatch allows EoP
  • CVE-2024-38106 -- ntoskrnl.exe -- NT Kernel -- missing lock around VslpEnterIumSecureMode causes race condition EoP
  • CVE-2024-38193 -- afd.sys -- AFD -- use-after-free race on Registered I/O buffers allows EoP
  • CVE-2024-49138 -- clfs.sys -- Common Log File System -- heap overflow in LoadContainerQ allows EoP
  • CVE-2025-24985 -- fastfat.sys -- FAT File System -- cluster count overflow in FAT bitmap allocation allows RCE
  • CVE-2025-21333 -- vsp.sys -- Hyper-V Virtual Service Provider -- heap-based buffer overflow
  • CVE-2025-24984 -- ntfs.sys -- NTFS -- information disclosure
  • CVE-2025-24991 -- ntfs.sys -- NTFS -- information disclosure via out-of-bounds read
  • CVE-2025-24993 -- ntfs.sys -- NTFS -- MFT metadata heap buffer overflow via crafted VHD allows RCE
  • CVE-2025-29824 -- clfs.sys -- Common Log File System -- elevation of privilege via log file metadata corruption
  • CVE-2021-21551 -- DBUtil_2_3.sys -- Dell -- arbitrary R/W via IOCTL
  • CVE-2019-16098 -- RTCore64.sys -- MSI -- physical mem R/W, MSR, I/O port
  • CVE-2018-19320 -- gdrv.sys -- Gigabyte -- arbitrary kernel R/W, MSR access
  • CVE-2015-2291 -- iqvw64e.sys -- Intel -- arbitrary R/W via IOCTL
  • CVE-2020-15368 -- HW.sys -- Marvin Test -- physical memory R/W
  • CVE-2022-3699 -- LenovoDiagnosticsDriver.sys -- Lenovo -- arbitrary R/W
  • ATSZIO64.sys -- ATSZIO64.sys -- ASUS -- physical memory R/W
  • AsIO3.sys -- AsIO3.sys -- ASRock/ASUS -- physical mem R/W, SMM
  • CVE-2025-7771 -- ThrottleStop.sys -- ThrottleStop -- MSR write / AV killer
  • Capcom.sys -- Capcom.sys -- Capcom -- ring-0 code exec, SMEP bypass
  • viragt64.sys -- viragt64.sys -- TG Soft -- process termination (Kasseika ransomware)
  • Truesight.sys -- Truesight.sys -- Adlice -- EDR bypass
  • amsdk.sys -- amsdk.sys -- WatchDog -- process termination (Silver Fox APT)
  • CVE-2023-1048 -- WinRing0x64.sys -- OpenLibSys -- MSR write and physical memory R/W
  • CVE-2025-21334 -- vkrnlintvsp.sys -- Hyper-V VSP Integration -- use-after-free allows SYSTEM
  • CVE-2025-21335 -- vkrnlintvsp.sys -- Hyper-V VSP Integration -- use-after-free allows SYSTEM
  • CVE-2025-21418 -- afd.sys -- AFD -- heap-based buffer overflow allows SYSTEM escalation
  • CVE-2025-24983 -- win32k.sys -- Win32k -- use-after-free / race condition allows SYSTEM
  • CVE-2025-24990 -- ltmdm64.sys -- LiteManager -- untrusted pointer dereference allows SYSTEM
  • CVE-2025-30400 -- dwmcore.dll -- DWM -- use-after-free in composition surface allows SYSTEM
  • CVE-2025-32701 -- clfs.sys -- CLFS -- use-after-free in log stream object allows SYSTEM
  • CVE-2025-32706 -- clfs.sys -- CLFS -- heap buffer overflow allows SYSTEM
  • CVE-2025-32709 -- afd.sys -- AFD -- use-after-free after socket closure allows SYSTEM
  • CVE-2025-59230 -- rasman.sys -- RAS Manager -- elevation of privilege
  • CVE-2025-62215 -- ntoskrnl.exe -- NT Kernel -- race condition / double-free allows SYSTEM
  • CVE-2025-62221 -- cldflt.sys -- Cloud Files Mini Filter -- use-after-free allows SYSTEM
  • CVE-2026-21231 -- ntoskrnl.exe -- NT Kernel -- race condition allows SYSTEM
  • CVE-2026-21519 -- dwmcore.dll -- DWM -- type confusion allows SYSTEM
  • CVE-2026-21533 -- Remote Desktop Services -- elevation of privilege
  • CVE-2025-0289 -- BioNTdrv.sys -- Paragon -- arbitrary kernel write
  • CVE-2025-68947 -- NSecKrnl.sys -- NsecSoft -- process termination / EDR bypass
  • CVE-2025-61156 -- TfSysMon.sys -- ThreatFire -- process termination / EDR bypass
  • CVE-2024-51324 -- BdApiUtil.sys -- Baidu -- process termination / AV bypass
  • EnPortv.sys -- EnPortv.sys -- Guidance/OpenText -- process termination