CVE-2023-29336

Win32k, use-after-free from unlocked nested menu object allows EoP

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field	Value
Driver	`win32kfull.sys`
Vulnerability Class	Object Management
Vulnerable Build	`10.0.22621.1555` (KB5025239)
Fixed Build	`10.0.22621.1635` (KB5026372)
Exploited ITW	Yes

The Story

Win32k menu objects have been a recurring source of use-after-free vulnerabilities for years, and CVE-2023-29336 continues the tradition. The vulnerability was exploited in the wild and involves the interaction between nested menu structures and callback reentrancy, a pattern that has produced numerous Win32k EoP bugs. Numen Cyber published the definitive analysis with a working PoC.

The core issue is about when objects are freed versus when they are used. In the Win32k subsystem, menu operations can trigger user-mode callbacks, and during those callbacks, user-mode code can destroy or modify the very objects that the kernel-mode code path expects to use after the callback returns.

Affected Functions

xxxEnableMenuItem
xxxMNDestroyHandler

The vulnerability is triggered through a specific sequence involving nested menu structures. The attacker creates deeply nested menu structures using CreateMenu / CreatePopupMenu and InsertMenuItem. Then EnableMenuItem is called on a nested item. During the processing of this call, Win32k may invoke a user-mode callback (for example, through a WH_CALLWNDPROC hook). Inside that callback, the attacker destroys the parent menu, which triggers xxxMNDestroyHandler. The parent menu and its associated objects are freed.

When the callback returns and xxxEnableMenuItem resumes execution, it attempts to access the nested menu object through a pointer that now references freed memory. This is the use-after-free: the kernel holds a stale reference to a menu object that was destroyed during the reentrant callback.

AutoPiff categorizes this as object_management with detection rules:

ob_reference_balance_fix

After the menu object is freed, the attacker reclaims the freed allocation using SetMenuItemInfo with controlled data of matching size. Win32k's desktop heap allocation patterns are deterministic enough that the reclaim is reliable. The stale pointer in xxxEnableMenuItem now reads the attacker's planted data, which is interpreted as a menu object structure. The controlled fields provide a kernel read/write primitive.

The exploit pattern is characteristic of Win32k: tight loops of menu object creation and destruction to groom the desktop heap, careful timing of callback hooks to trigger the free at the right moment, and then reclaim with controlled data to turn the UAF into a useful primitive. The final step is the standard token swap for SYSTEM.

Detection

YARA Rule

rule CVE_2023_29336_Win32k {
    meta:
        description = "Detects vulnerable version of win32kfull.sys (pre-patch)"
        cve = "CVE-2023-29336"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "win32kfull.sys" wide ascii nocase
        $vuln_build = "10.0.22621.1555" wide ascii
        $enable_menu = "xxxEnableMenuItem" ascii
        $destroy_handler = "xxxMNDestroyHandler" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and any of ($enable_menu, $destroy_handler)
}

ETW Indicators

Provider	Event / Signal	Relevance
`Microsoft-Windows-Win32k`	Menu object creation and destruction events	Monitors win32k menu operations for the use-after-free trigger involving nested menu objects
`Microsoft-Windows-Kernel-Audit`	Token modification (Event ID 4672)	Captures privilege escalation when the attacker leverages the freed menu object to gain arbitrary write
`Microsoft-Windows-Security-Auditing`	Special privileges assigned (Event ID 4672)	Alerts on a low-privilege process acquiring SYSTEM privileges after exploiting the UAF
`Microsoft-Windows-Kernel-Process`	Process token change	Detects the moment the exploiting process replaces its token with the SYSTEM token

Behavioral Indicators

A process creates deeply nested menu structures using CreateMenu / CreatePopupMenu and InsertMenuItem, then triggers EnableMenuItem on a nested item while simultaneously destroying the parent menu via a callback, causing a use-after-free in xxxMNDestroyHandler
Win32k desktop heap spray using SetMenuItemInfo with controlled data to reclaim the freed menu object allocation with attacker-controlled contents
Anomalous window message processing patterns where a user-mode callback (e.g., WH_CALLWNDPROC hook) destroys or modifies menu objects during a reentrant win32k call
Token replacement in the EPROCESS structure observed as a standard-user process suddenly holding SYSTEM-level privileges without going through UAC or a legitimate elevation path
Rapid creation and destruction of menu objects in a tight loop from a process that does not have a visible GUI, consistent with heap grooming for exploitation rather than normal UI activity

Broader Significance

CVE-2023-29336 belongs to the Win32k callback reentrancy class, where user-mode callbacks during kernel operations create windows for use-after-free conditions. This vulnerability pattern has produced more Windows kernel EoP bugs than any other single pattern, spanning window objects, menu objects, cursor objects, and other Win32k managed types. The fundamental issue is that Win32k's design allows user-mode code to execute during kernel operations, and the kernel must correctly handle the possibility that any object it references might be destroyed during a callback. Getting this right across all Win32k code paths has proven to be an ongoing challenge for Microsoft.