CVE-2024-26218
NT Kernel -- elevation of privilege via improper kernel call handling
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Elevation of Privilege |
| Exploited ITW | No |
| CVSS | 7.8 |
Root Cause
The NT kernel exposes hundreds of system calls that user-mode processes invoke to interact with kernel resources. Each system call handler is responsible for validating caller-supplied parameters before using them in privileged operations. In this vulnerability, a specific system call path in ntoskrnl.exe fails to adequately validate parameters provided by unprivileged callers.
The missing validation allows a user-mode process to pass values that the kernel uses as addresses or offsets for write operations in kernel memory. Because the system call does not check that the target falls within user-mode address space (a PreviousMode or ProbeForWrite equivalent check is absent), the caller can direct writes into kernel memory.
The exploits-forsale research team identified the specific call path and published a working PoC.
Exploitation
The missing parameter validation gives a direct write primitive into kernel memory. The attacker issues the vulnerable system call with carefully crafted arguments that specify a kernel-mode target address. The kernel executes the write without questioning whether the caller should have access to that address.
With a kernel write primitive in hand, the attacker performs the standard token swap: locate the current process's EPROCESS structure, read the SYSTEM process's token pointer, and overwrite the current process's token. This achieves privilege escalation from standard user to SYSTEM.
The exploit is deterministic and does not require race conditions, heap grooming, or complex setup. The system call path provides a clean, single-shot write primitive.
Patch Analysis
The fix validates caller-supplied parameters in the affected system call path. The patched code checks that write targets fall within the user-mode address range and verifies the caller's PreviousMode, blocking user-mode callers from directing writes into kernel memory.
Broader Significance
This vulnerability is a reminder that the surface area of the NT system call interface is enormous. Each of the hundreds of system calls must independently validate every parameter from every code path, and a single missed check creates a privilege escalation. The pattern of "missing probe" or "missing PreviousMode check" has been a recurring source of ntoskrnl EoP bugs across Windows releases, suggesting that manual code review and testing remain insufficient for a system call table of this size.