CVE-2024-38144
Kernel Streaming WOW Thunk -- integer overflow in buffer size calculation
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | Integer Overflow |
| Exploited ITW | No |
| CVSS | 8.8 |
Root Cause
An integer overflow in the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys) during buffer size calculation when converting 32-bit IOCTL requests to 64-bit. The driver multiplies a user-controlled count by a structure size to compute the output buffer length. If the count is large enough, the multiplication wraps, producing a small allocation that is then filled with data sized according to the original (un-wrapped) count -- a heap buffer overflow.
Another finding from Angelboy's (DEVCORE) kernel streaming attack surface research, part of the same effort that produced CVE-2024-30090 and CVE-2024-35250.
Exploitation
The integer overflow leads to a heap buffer overflow in the kernel pool. The undersized allocation is filled with data that spills into adjacent pool objects. Standard pool feng shui applies: spray controlled objects of matching size, trigger the overflow, corrupt an adjacent object's header or function pointer, and convert that into a read/write primitive for token manipulation.
Patch Analysis
The fix adds overflow checking on the buffer size multiplication, rejecting requests where the computed size would wrap.