Skip to content

CVE-2023-32019

NT Kernel — kernel heap memory leak to user process via thread info query

Summary

Field Value
Driver ntoskrnl.exe
Vulnerability Class Information Disclosure
Vulnerable Build 10.0.22621.1702 (KB5026372)
Fixed Build 10.0.22621.1848 (KB5027231)
Exploited ITW No

Affected Functions

  • NtQueryInformationThread
  • PspCopyAndFixupSecurityAttributes

Root Cause

AutoPiff categorizes this as info_disclosure with detection rules:

  • buffer_zeroing_before_copy_added
  • stack_variable_initialization_added

Exploitation

Patch Analysis

Detection

YARA Rule

rule CVE_2023_32019_NTOSKRNL {
    meta:
        description = "Detects vulnerable version of ntoskrnl.exe (pre-patch)"
        cve = "CVE-2023-32019"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "ntoskrnl.exe" wide ascii nocase
        $vuln_build = "10.0.22621.1702" wide ascii
        $query_func = "NtQueryInformationThread" ascii
        $fixup_func = "PspCopyAndFixupSecurityAttributes" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and any of ($query_func, $fixup_func)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-Kernel-Process Thread information query events Monitors NtQueryInformationThread calls that could trigger the uninitialized memory disclosure
Microsoft-Windows-Kernel-Audit Process/thread access (Event ID 4656) Detects cross-process thread handle acquisition used to query thread info from another process context
Microsoft-Windows-Security-Auditing Process access (Event ID 4663) Captures access to thread objects in other processes, a prerequisite for exploiting the info leak
Microsoft-Windows-Threat-Intelligence Kernel memory read patterns ETW-TI provider can flag suspicious kernel-to-user memory copy operations returning uninitialized data

Behavioral Indicators

  • Repeated calls to NtQueryInformationThread with specific ThreadInformationClass values targeting security attribute data, especially across process boundaries
  • A user-mode process systematically querying thread information for threads belonging to high-privilege processes (lsass.exe, csrss.exe) to harvest leaked kernel heap contents
  • Uninitialized stack or heap memory returned to user space via the output buffer of NtQueryInformationThread, containing kernel pointers or security-sensitive data
  • Pattern of opening thread handles with THREAD_QUERY_INFORMATION access to many threads in rapid succession, consistent with scanning for exploitable leaked data
  • Disclosed kernel addresses subsequently used in follow-up exploitation to bypass KASLR or locate kernel structures for privilege escalation

References