CVE-2024-38106
NT Kernel — missing lock around VslpEnterIumSecureMode causes race condition EoP
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Race Condition / TOCTOU |
| Vulnerable Build | 10.0.22621.3958 (KB5040527) |
| Fixed Build | 10.0.22621.4169 (KB5043076) |
| Exploited ITW | Yes |
Affected Functions
VslGetSetSecureContextVslpEnterIumSecureMode
Root Cause
AutoPiff categorizes this as race_condition with detection rules:
spinlock_acquisition_addedmutex_or_resource_lock_added
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_38106_NtKernel {
meta:
description = "Detects vulnerable version of ntoskrnl.exe (pre-patch)"
cve = "CVE-2024-38106"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ntoskrnl.exe" wide ascii nocase
$vuln_build = "10.0.22621.3958" wide ascii
$func_context = "VslGetSetSecureContext" ascii
$func_enter = "VslpEnterIumSecureMode" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($func_*)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-Audit | Secure context transition events | Monitors IUM (Isolated User Mode) / VSL secure mode entry operations where the missing lock creates the TOCTOU race window |
| Microsoft-Windows-Kernel-Process | Process and thread creation / context switch events | Detects abnormal thread scheduling patterns consistent with racing to win the TOCTOU condition in VslpEnterIumSecureMode |
| Microsoft-Windows-Security-Auditing | Event 4688 (Process Creation) and Event 4672 (Special Privileges) | Captures privilege escalation to SYSTEM following successful race condition exploitation |
| Microsoft-Windows-Kernel-Audit | Spinlock contention and acquisition events | Post-patch indicator: validates that the fix (spinlock acquisition around VSL context operations) is active |
Behavioral Indicators
- Multi-threaded process with tight loops simultaneously invoking
VslGetSetSecureContextfrom competing threads to exploit the TOCTOU window before the secure context is fully validated - Anomalous CPU consumption on multiple cores from a single low-privilege process, consistent with spinning to win a kernel race condition
- Process elevation from standard user to SYSTEM without any UAC prompt or legitimate elevation service involvement, occurring immediately after sustained multi-threaded kernel syscall activity
- Crash artifacts with bugcheck
KERNEL_SECURITY_CHECK_FAILUREwhen exploitation attempts fail due to corrupted secure context state - VBS/IUM secure mode transitions initiated by processes outside the expected set of trustlets and secure enclaves