CVE-2024-38256

Win32k — uninitialized resource usage leaks kernel memory to user mode

Summary

Field	Value
Driver	win32k.sys
Vulnerability Class	Information Disclosure
Vulnerable Build	10.0.22621.3958 (KB5040527)
Fixed Build	10.0.22621.4169 (KB5043076)
Exploited ITW	No

Affected Functions

• NtGdiGetGlyphOutline
• GreGetGlyphOutlineInternal

Root Cause

AutoPiff categorizes this as info_disclosure with detection rules:

• stack_variable_initialization_added
• kernel_pointer_scrubbing_added

Exploitation

Patch Analysis

Detection

YARA Rule

rule CVE_2024_38256_Win32k {
    meta:
        description = "Detects vulnerable version of win32k.sys (pre-patch)"
        cve = "CVE-2024-38256"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "win32k.sys" wide ascii nocase
        $vuln_build = "10.0.22621.3958" wide ascii
        $func_glyph = "NtGdiGetGlyphOutline" ascii
        $func_internal = "GreGetGlyphOutlineInternal" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and any of ($func_*)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-Audit	Syscall audit events for GDI operations	Monitors NtGdiGetGlyphOutline invocations that trigger the uninitialized read path
Microsoft-Windows-Security-Auditing	Event 4688 (Process Creation)	Detects unexpected processes calling GDI glyph APIs at high frequency to harvest leaked kernel memory
Microsoft-Windows-Win32k	GDI object allocation / deallocation events	Tracks glyph outline buffer allocations where stack variables may not be fully initialized

Behavioral Indicators

• Repeated calls to NtGdiGetGlyphOutline with varied glyph indices from a low-privilege process, indicating systematic kernel memory harvesting
• User-mode process reading GDI output buffers and scanning for kernel pointer patterns (addresses in the 0xFFFF upper range) to defeat KASLR
• Anomalous GDI handle creation rates from processes that do not typically perform font rendering
• Process without GUI context invoking GDI subsystem calls through direct syscall stubs rather than gdi32.dll exports
• Information disclosure used as a precursor stage followed by a secondary exploit targeting a separate EoP vulnerability

References

• MSRC Advisory