CVE-2023-32019
NT Kernel -- kernel heap memory leak to user process via thread info query
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Information Disclosure |
| Vulnerable Build | 10.0.22621.1702 (KB5026372) |
| Fixed Build | 10.0.22621.1848 (KB5027231) |
| Exploited ITW | No |
Affected Functions
NtQueryInformationThreadPspCopyAndFixupSecurityAttributes
Root Cause
The Windows kernel exposes NtQueryInformationThread as a system call that lets user-mode processes retrieve metadata about threads, including security attributes. When a caller queries certain thread information classes, the kernel allocates a buffer on the stack or heap, populates it with the requested data, and copies it back to user space.
The vulnerability lies in PspCopyAndFixupSecurityAttributes, which is called during this query flow. The function fails to fully initialize the output buffer before copying it to the caller. Stack variables and heap allocations used as intermediate storage contain residual data from previous kernel operations. Because the buffer is not zeroed before the relevant fields are written, the gaps between populated fields leak whatever kernel data previously occupied that memory.
This leaked data can include kernel pointers, token values, and fragments of other kernel structures. For an attacker, these leaked addresses defeat KASLR and provide the kernel base address or object locations needed to exploit a separate write-primitive vulnerability for full privilege escalation.
AutoPiff categorizes this as info_disclosure with detection rules:
buffer_zeroing_before_copy_addedstack_variable_initialization_added
Exploitation
On its own, this vulnerability does not provide code execution or privilege escalation. Its value is as an information leak primitive that enables exploitation of other bugs.
An attacker calls NtQueryInformationThread repeatedly, targeting threads in high-privilege processes like lsass.exe or csrss.exe. Each call returns a buffer that may contain leaked kernel pointers. By scanning the returned data for values in the kernel address range (above 0xFFFF800000000000 on x64), the attacker can recover the kernel base address, defeating KASLR, or locate specific kernel objects like EPROCESS or TOKEN structures.
This information is then fed into a separate exploit for a write-primitive vulnerability (such as a pool overflow or type confusion), where knowledge of kernel addresses transforms a blind write into a targeted one.
Patch Analysis
The fix in KB5027231 adds explicit buffer zeroing in PspCopyAndFixupSecurityAttributes before populating the output fields. Stack variables used in the query path are also initialized to zero at declaration. This ensures that any bytes not explicitly written by the function contain zeros rather than residual kernel data.
AutoPiff detects this via the buffer_zeroing_before_copy_added and stack_variable_initialization_added rules.
Detection
YARA Rule
rule CVE_2023_32019_NTOSKRNL {
meta:
description = "Detects vulnerable version of ntoskrnl.exe (pre-patch)"
cve = "CVE-2023-32019"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ntoskrnl.exe" wide ascii nocase
$vuln_build = "10.0.22621.1702" wide ascii
$query_func = "NtQueryInformationThread" ascii
$fixup_func = "PspCopyAndFixupSecurityAttributes" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($query_func, $fixup_func)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-Kernel-Process |
Thread information query events | Monitors NtQueryInformationThread calls that could trigger the uninitialized memory disclosure |
Microsoft-Windows-Kernel-Audit |
Process/thread access (Event ID 4656) | Detects cross-process thread handle acquisition used to query thread info from another process context |
Microsoft-Windows-Security-Auditing |
Process access (Event ID 4663) | Captures access to thread objects in other processes, a prerequisite for exploiting the info leak |
Microsoft-Windows-Threat-Intelligence |
Kernel memory read patterns | ETW-TI provider can flag suspicious kernel-to-user memory copy operations returning uninitialized data |
Behavioral Indicators
- Repeated calls to
NtQueryInformationThreadwith specificThreadInformationClassvalues targeting security attribute data, especially across process boundaries - A user-mode process systematically querying thread information for threads belonging to high-privilege processes (lsass.exe, csrss.exe) to harvest leaked kernel heap contents
- Uninitialized stack or heap memory returned to user space via the output buffer of
NtQueryInformationThread, containing kernel pointers or security-sensitive data - Pattern of opening thread handles with
THREAD_QUERY_INFORMATIONaccess to many threads in rapid succession, consistent with scanning for exploitable leaked data - Disclosed kernel addresses subsequently used in follow-up exploitation to bypass KASLR or locate kernel structures for privilege escalation
Broader Significance
Information disclosure vulnerabilities in the NT kernel are often undervalued because they do not directly provide code execution. In practice, they are critical enablers. Modern Windows kernels rely heavily on KASLR and opaque handle-based APIs to prevent user-mode code from knowing where kernel objects reside. A reliable kernel address leak collapses that entire defense layer, converting "hard to exploit" write-primitive bugs into deterministic, one-shot privilege escalation chains. The pattern of uninitialized buffer leaks in system call output paths has been a recurring source of these disclosures across multiple Windows releases.