CVE-2022-34707
NT Kernel (Registry), reference count overflow in CM_KEY_SECURITY
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Integer Overflow |
| Exploited ITW | No |
| CVSS | 7.8 |
The Story
Between 2022 and 2024, Mateusz Jurczyk (j00ru) of Google Project Zero conducted a 20-month audit of the Windows registry subsystem that produced around 50 CVEs. CVE-2022-34707 is one of the findings from that audit, and it demonstrates a vulnerability class that is as old as computing itself: an integer overflow in a reference count that leads to use-after-free.
j00ru presented a working exploit for this vulnerability at OffensiveCon 2024, making it one of the more technically validated registry bugs.
How a Reference Count Wraps to Zero
The vulnerability sits in the _CM_KEY_SECURITY structure within registry hive handling. The ReferenceCount field is a 32-bit value that tracks how many key nodes reference a given security descriptor in the hive. Under normal operation, each key that shares a security descriptor increments this counter, and deletion decrements it. When the count reaches zero, the kernel frees the security descriptor.
The problem: the 32-bit counter has no overflow protection. By creating and deleting keys in a specific pattern, an attacker can increment the reference count until it wraps past 0xFFFFFFFF back to zero. When it hits zero, the kernel frees the security descriptor, but other key nodes still hold references to the now-freed memory. This is a classic use-after-free triggered through integer overflow.
The vulnerability is reachable through standard registry APIs (RegCreateKeyEx, RegDeleteKey, and related functions) without any special privileges. The overflow takes substantial iteration (billions of increments), but this is achievable in practice through batch registry operations.
From Freed Descriptor to Kernel R/W
After the security descriptor is freed, the attacker reclaims the memory with a controlled allocation, typically registry value data of a matching size. Subsequent registry operations on keys that still reference the freed descriptor read the attacker's planted data instead of a legitimate security descriptor. This provides a kernel read/write primitive through the confused type interpretation.
j00ru's OffensiveCon 2024 talk demonstrated the full chain from the reference count overflow through the use-after-free reclaim to SYSTEM escalation.
Patch Analysis
The fix adds overflow detection on the ReferenceCount increment path. If incrementing would wrap the counter past 0xFFFFFFFF, the operation fails instead of proceeding. This is the correct fix: preventing the overflow eliminates the use-after-free entirely.
Broader Significance
CVE-2022-34707 is part of j00ru's broader thesis that the Windows registry subsystem is a vastly under-audited attack surface. The 50-CVE harvest from a single focused audit suggests that complex kernel subsystems with decades of accumulated code contain many more bugs than the security community has found. The integer overflow class is particularly important here because reference counts appear throughout the kernel; any 32-bit refcount without overflow protection is potentially vulnerable to the same pattern.