Exploit Chain Patterns

The 5 recurring chain shapes that turn a kernel bug into SYSTEM -- from initial corruption through privilege escalation.

The Meta-Chain

Every kernel exploit in the corpus follows a variation of the same 7-stage progression. Individual stages may be skipped (BYOVD chains skip stages 1--3 entirely), but the shape holds.

FIG — The 7-Stage Kernel Exploitation Pipeline

Not all stages are always needed. BYOVD chains skip 1--3. Some chains skip stage 4 if the primitive doesn't require leaked addresses.

Stage	Action	Typical Techniques
1. Initial Corruption	Trigger the bug	Crafted file, IOCTL with bad length, race condition window
2. Memory Control	Shape kernel pool layout	Pool spray via named pipes, I/O Ring, WNF state data
3. Primitive Acquisition	Convert corruption into R/W	Corrupt pipe attributes, palette/bitmap objects, I/O Ring buffers
4. KASLR Defeat	Leak kernel base or object addresses	NtQuerySystemInformation, security descriptor corruption, prefetch side-channel
5. Privilege Target	Locate the escalation object	Find current process token, PreviousMode field, or EPROCESS
6. Escalation	Modify the target	Token swap, PreviousMode flip, privilege bit-set, DACL corruption
7. Post-Exploitation	Use gained privileges	Spawn SYSTEM shell, inject into protected process, deploy payload

Chain Archetypes

A. File Format Corruption + Pool Spray + Arbitrary Write + Token Swap

The classic CLFS exploitation pattern. A crafted on-disk structure embeds corrupted offsets that cause the kernel parser to write outside its allocation. Pool spray places a controlled object adjacent to the parser allocation, and the OOB write corrupts it into an arbitrary R/W primitive.

Flow: Corrupt BLF metadata → trigger reparse → OOB write into adjacent pool → corrupt pipe attribute / WNF / I/O Ring → stable R/W → token swap → SYSTEM

CVEs using this pattern:

• CVE-2025-29824 -- CLFS log metadata corruption, Storm-2460 / RansomEXX campaign
• CVE-2023-28252 -- CLFS base log offset corruption, Nokoyawa ransomware
• CVE-2024-49138 -- CLFS heap overflow in LoadContainerQ
• CVE-2022-37969 -- CLFS SignaturesOffset OOB write

This archetype works because file system and log drivers parse complex on-disk structures in kernel context. The same pattern applies to ntfs.sys (CVE-2025-24993) and fastfat.sys (CVE-2025-24985) where crafted VHD or FAT images trigger kernel heap corruption during mount.

B. Race Condition + UAF + Pool Spray + Bit Manipulation + Token Escalation

The most common afd.sys and win32k exploitation pattern. Two threads race to create a use-after-free -- one thread frees an object while another still holds a stale pointer. Pool spray reclaims the freed memory with a controlled object, and the stale pointer dereference corrupts it.

Flow: Race two threads → UAF on socket/window object → spray named pipes or palettes into freed slot → build R/W primitive → bit-manipulation or token swap → SYSTEM

CVEs using this pattern:

• CVE-2026-21241 -- afd.sys notification UAF, RtlSetBit/RtlClearAllBits bit-manipulation primitive
• CVE-2024-38193 -- afd.sys Registered I/O UAF, Lazarus Group campaign
• CVE-2025-24983 -- win32k UAF from race condition
• CVE-2025-62215 -- ntoskrnl double-free from race

The bit-manipulation primitive variant (CVE-2026-21241) matters because RtlSetBit and RtlClearAllBits are kCFG-compliant -- they pass control flow integrity checks that block traditional function pointer overwrites.

C. TOCTOU + Controlled Kernel Write + Token Swap

This pattern skips pool spray entirely. The attacker remaps or modifies a user buffer between the kernel's validation read and its use, producing a write to an attacker-chosen kernel address.

Flow: Map user buffer → trigger kernel validation → flip buffer contents from another thread → kernel uses corrupted value → write hits attacker-chosen address → token swap → SYSTEM

CVEs using this pattern:

• CVE-2024-30088 -- ntoskrnl TOCTOU in AuthzBasepCopyoutInternalSecurityAttributes
• CVE-2024-38106 -- ntoskrnl missing lock around VslpEnterIumSecureMode

This chain is harder to exploit reliably because the race window is narrow. Attackers typically run thousands of attempts, relying on the kernel to stay stable through failed races. The fix: capture user data into a kernel buffer in a single copy (see Patch Patterns).

D. IOCTL Auth Bypass + Direct Kernel R/W + Rootkit Deployment

No memory corruption needed. The driver exposes physical memory mapping, MSR access, or another dangerous primitive through an IOCTL that any user can reach. The attacker opens the device, sends a few IOCTLs, and gets full kernel R/W.

Flow: Open device handle → send IOCTL with target address → read/write kernel memory directly → locate EPROCESS → token swap or callback manipulation → deploy rootkit

CVEs using this pattern:

• CVE-2024-21338 -- appid.sys IOCTL missing access control, Lazarus FudModule rootkit
• CVE-2021-21551 -- Dell DBUtil arbitrary R/W
• CVE-2015-2291 -- Intel iqvw64e.sys arbitrary R/W, most-abused BYOVD driver
• Capcom.sys -- direct ring-0 code execution via MmGetSystemRoutineAddress callback

This is the BYOVD archetype. The driver is the vulnerability. No exploit development needed beyond a client that sends the right IOCTLs. Ransomware groups and APTs routinely drop signed vulnerable drivers to bypass EDR -- see BYOVD.

E. Arithmetic Primitive + PreviousMode Flip + Full R/W + Token Swap

Built on a single decrement or increment. The attacker uses the arithmetic primitive to flip the PreviousMode field in the current thread's KTHREAD structure, turning kernel address-space access checks from enforced to bypassed. With PreviousMode set to KernelMode, ordinary Nt* system calls can read and write arbitrary kernel memory.

Flow: Trigger decrement-by-one → target KTHREAD.PreviousMode → flip from UserMode (1) to KernelMode (0) → use NtReadVirtualMemory/NtWriteVirtualMemory for full R/W → token swap → SYSTEM

CVEs using this pattern:

• CVE-2025-3464 -- AsIO3.sys auth bypass + ObfDereferenceObject decrement-by-one
• CVE-2024-26229 -- csc.sys missing access check, used with PreviousMode flip

This archetype works well because the primitive needed is minimal -- a single controlled decrement. The PreviousMode manipulation technique converts it into full kernel R/W without any pool spray or heap layout control. See also Arb Increment/Decrement.

Terminal Goals

All five chain archetypes converge on the same small set of escalation targets:

1. Token swap -- Copy the SYSTEM process token into the current process. The most common terminal goal, used in ~70% of the corpus. See Token Swapping.

2. Privilege bit-set -- Set SE_DEBUG_PRIVILEGE or SE_ASSIGNPRIMARYTOKEN_PRIVILEGE bits directly in the token. Used when the attacker wants to avoid replacing the entire token.

3. PreviousMode flip -- Change KTHREAD.PreviousMode from UserMode to KernelMode. Gives the attacker full R/W via system calls. See PreviousMode Manipulation.

4. DACL corruption -- Null out the security descriptor on a protected process. Used in CVE-2026-21241 via SepMediumDaclSd corruption. See ACL / SD Manipulation.

Cross-References

• Corpus Analytics -- data behind these patterns
• Patch Patterns -- how Microsoft fixes each chain
• Primitives -- the building blocks within each chain
• Mitigations -- kernel defenses that block stages of these chains
• Bit-Manipulation Primitives -- the kCFG-compliant technique used in archetype B