CVE-2023-1048
WinRing0x64, arbitrary MSR write and physical memory R/W via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | WinRing0x64.sys |
| Vendor | OpenLibSys / bundled by TechPowerUp, CPUID, Razer, LibreHardwareMonitor, and dozens of others |
| Vulnerability Class | Arbitrary R/W / MSR Write / Physical Memory Mapping |
| Abused Version | 1.2.0.5 and earlier (all known versions) |
| Status | Blocklisted — Microsoft classifies as VulnerableDriver:WinNT/Winring0 (variants A-G) |
| Exploited ITW | Yes |
The Story
WinRing0 might be the most widely distributed vulnerable driver in the Windows ecosystem. It is an open-source kernel driver from the OpenLibSys project, designed to give user-mode applications direct access to hardware registers, physical memory, MSRs, I/O ports, and PCI configuration space. The driver is bundled by a vast number of hardware monitoring and tuning applications: TechPowerUp RealTemp, CPUID HWMonitor, Razer Synapse 3, LibreHardwareMonitor, FanControl, and many others. If a Windows PC has any hardware monitoring software installed, there is a reasonable chance WinRing0 is on the disk.
The driver creates its device with permissive ACLs and exposes every hardware access primitive without caller validation. This is by design; the driver was created to give hardware tools full access. But the absence of access control means any process on the system can use these capabilities, including attackers who bring the driver via BYOVD or find it already present.
In early 2025, Windows Defender began flagging WinRing0 in consumer tools like Razer Synapse and FanControl, prompting vendors to update or remove the driver. Microsoft classifies multiple hash variants as VulnerableDriver:WinNT/Winring0.A through .G.
CVE-2023-1048 specifically documents the vulnerability in TechPowerUp Ryzen DRAM Calculator v1.7.3 (WinRing0x64.sys v1.2.0.5). CVE-2023-1047 covers the same driver bundled with TechPowerUp RealTemp. The underlying vulnerability is identical across all bundling vendors.
BYOVD Context
- Driver signing: Authenticode-signed; multiple signed variants exist from different bundling vendors (CPUID, Razer, Noriyuki Miyazaki)
- Vulnerable Driver Blocklist: Included — Microsoft classifies multiple hash variants as
VulnerableDriver:WinNT/Winring0.Athrough.G - HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Not directly integrated, but the WinRing0 library is used by many open-source hardware tools
- LOLDrivers: Listed at loldrivers.io with multiple hash variants
Affected IOCTLs
- Arbitrary MSR write (WRMSR) with user-controlled register index and value
- Arbitrary MSR read (RDMSR)
- Physical memory read via MmMapIoSpace
- Physical memory write via MmMapIoSpace
- I/O port read/write (IN/OUT)
- PCI configuration space access
Two Paths to Ring 0
The MSR Route
The MSR write IOCTL gives the most direct path to kernel code execution. The attacker loads WinRing0x64.sys (or finds it already present from a hardware monitoring tool), opens the device handle, and uses the WRMSR IOCTL to write to IA32_LSTAR (MSR 0xC0000082). IA32_LSTAR holds the kernel syscall entry point address. After the write, the next syscall dispatches to the attacker's controlled address, executing arbitrary code in ring 0.
The Physical Memory Route
The physical memory IOCTLs provide the standard page-table-walk approach. Map physical memory pages via MmMapIoSpace, walk the page table hierarchy to locate kernel structures, and overwrite EPROCESS tokens for SYSTEM privilege escalation.
The zeze-zeze/WindowsKernelVuln repository provides PoC code demonstrating both paths.
Detection
YARA Rule
rule CVE_2023_1048_WinRing0x64 {
meta:
description = "Detects WinRing0x64.sys vulnerable driver"
cve = "CVE-2023-1048"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "WinRing0" wide ascii nocase
$openlib = "OpenLibSys" wide ascii
$device = "\\Device\\WinRing0" wide ascii
condition:
$mz at 0 and ($driver_name or $openlib or $device)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of WinRing0x64.sys from non-standard paths |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture; Windows Defender also flags as VulnerableDriver:WinNT/Winring0 |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for WinRing0 driver |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
WinRing0x64.sysfrom a temporary directory or user-writable path (not from a known hardware tool installation) - WRMSR IOCTLs targeting
IA32_LSTAR(0xC0000082) or other security-critical MSRs from non-hardware-monitoring processes - Physical memory mapping IOCTLs spanning kernel address ranges from unknown processes
- Windows Defender alert for
VulnerableDriver:WinNT/Winring0variants - Privilege escalation following WinRing0 driver interaction from a process that is not a known hardware utility
Broader Significance
WinRing0 represents the distribution problem at its most extreme. A single open-source driver, bundled by dozens of legitimate applications, creates a situation where millions of systems have the vulnerable binary on disk. The driver cannot be "fixed" in the traditional sense because the vulnerability is the design: it was built to provide unrestricted hardware access. The only mitigation is the blocklist, which Microsoft has been progressively expanding. For defenders, WinRing0 is a reminder that BYOVD is not always about bringing a driver; sometimes the driver is already there, installed by the user's own hardware monitoring software.