CVE-2022-34707
NT Kernel (Registry) -- reference count overflow in CM_KEY_SECURITY
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Integer Overflow |
| Exploited ITW | No |
| CVSS | 7.8 |
Root Cause
Part of Mateusz Jurczyk's (j00ru, Project Zero) 20-month audit of the Windows registry subsystem, which produced around 50 CVEs. This one is an integer overflow in the ReferenceCount field of the _CM_KEY_SECURITY structure within registry hive handling.
The ReferenceCount is a 32-bit value that tracks how many key nodes reference a given security descriptor in the hive. By creating and deleting keys in a specific pattern, an attacker can increment the reference count until it wraps past 0xFFFFFFFF back to zero. When the count hits zero, the kernel frees the security descriptor while other key nodes still reference it -- a classic use-after-free triggered through integer overflow.
The vulnerability is reachable through standard registry APIs (RegCreateKeyEx, RegDeleteKey, etc.) without any special privileges.
Exploitation
The reference count overflow produces a use-after-free on the _CM_KEY_SECURITY structure. After the free, the attacker reclaims the memory with a controlled allocation (e.g., via registry value data of matching size) and plants a fake security descriptor. Subsequent registry operations on keys that still reference the freed descriptor read the attacker's data, providing a kernel read/write primitive.
j00ru demonstrated a working exploit at OffensiveCon 2024. The overflow takes substantial iteration (billions of increments) but is achievable in practice through batch registry operations.
Patch Analysis
The fix adds overflow detection on the ReferenceCount increment path. If incrementing would wrap the counter, the operation fails instead of proceeding.