Skip to content

Overview

KernelSight

A structured knowledge base for Windows kernel driver exploitation, organized as a pipeline from driver identification through privilege escalation. Covers 156 real CVEs across Microsoft inbox and third-party BYOVD drivers.

Recent Updates

Date What's New
2026-03-12 KDU Provider Compatibility and LOLDrivers Deep Analysis updated with full 1,775-driver Tier 2 Ghidra results. 1,404 KDU-compatible (79%), 354 Tier 2 confirmed, 122 confirmed MapDriver candidates with physical + virtual memory primitives reachable from IOCTL handlers. All mitigations, ROP gadgets, and I/O methods scored.
2026-03-01 Backfill: 13 case studies added for 2022--2024 CVEs with published exploit research. CLFS ransomware chain (CVE-2022-24521, CVE-2022-35803, CVE-2023-23376), Project Zero registry audit (CVE-2022-34707, CVE-2023-23420), DEVCORE kernel streaming (CVE-2024-30090, CVE-2024-30084, CVE-2024-38144), activation context bugs (CVE-2022-22047, CVE-2022-41073). Corpus now at 147 CVEs, 57 exploited ITW.
2026-03-01 New guide: Why Kernel Drivers? -- what hardware enforces, what only Ring 0 can do, user-mode alternatives, the security cost, and Microsoft's trajectory toward constraining kernel code.
2026-02-28 New guides: Corpus Analytics, Exploit Chain Patterns, Patch Patterns, Mitigation Timeline, Anatomy of a Secure Driver. New deep dives: afd.sys, win32k, ntfs.sys.
2026-02-28 58 new case studies added across afd.sys, clfs.sys, win32k, dwmcore.dll, ntfs.sys, ntoskrnl, plus new drivers: rasman.sys, storvsp.sys, dxgkrnl.sys, msfs.sys. BYOVD additions include Paragon BioNTdrv siblings, TfSysMon.sys, STProcessMonitor.sys.
2026-02-28 25 new case studies for 2025-2026 kernel CVEs -- ITW zero-days in afd.sys, clfs.sys, DWM, ntoskrnl, win32k, Hyper-V; BYOVD via Paragon, NSecKrnl, EnPortv.
2026-02-28 CVE-2025-3464 / CVE-2025-1533 -- AsIO3.sys auth bypass + stack overflow via decrement-by-one, PreviousMode flip, token theft.
2026-02-25 CVE-2026-21241 -- afd.sys notification UAF with bit-manipulation primitive, DACL corruption, token privilege escalation.
2026-02-25 New technique: Bit-Manipulation Primitives. Expanded: ACL / SD Manipulation, KASLR Bypasses.

FIG_001 — The Exploitation Pipeline DRIVER TYPE Which component? ATTACK SURFACE How is it reached? VULN CLASS What went wrong? PRIMITIVE What do you gain? CASE STUDY Real-world CVEs MITIGATIONS Defenses intersect every stage Tooling & Automation

Each stage links to a section of this knowledge base. Click any box to begin.

The Analysis Pipeline

  1. Driver Types

    Identify the kernel component — file system, network stack, Win32k, core kernel, vendor utility, GPU — and understand its role, IRP patterns, and historical vulnerability profile. 12 categories covering 64 unique drivers.

  2. Attack Surfaces

    Map how user-mode code reaches the driver — IOCTL handlers, filesystem IRPs, ALPC, shared memory. Determines what an attacker can control.

  3. Vulnerability Classes

    Classify the bug — buffer overflow, type confusion, TOCTOU, use-after-free — and understand the corruption it enables. 10 classes with typical primitives gained.

  4. Primitives

    Convert the bug into a capability — arbitrary read/write, pool spray, token swap. 19 techniques split between arb R/W primitives and exploitation building blocks.

  5. Case Studies

    Walk through the full chain for 147 real CVEs — root cause, exploitation path, patch analysis, and detection rules. 57 exploited in the wild, including 38 third-party BYOVD drivers.

  6. Mitigations

    Understand the defenses — SMEP/SMAP, kCFG/kCET, VBS/HVCI, pool hardening — and which primitives they block. Cross-cuts every pipeline stage.

  7. Tooling

    Static analysis, fuzzing, kernel debugging, and AutoPiff integration for automated vulnerability detection across driver patches.

  8. Guides

    Cross-cutting analysis that synthesizes patterns from the corpus -- what makes a driver secure, what the common mistakes look like, and how to avoid them.

Corpus

156 CVE case studies  ·  64 unique drivers  ·  57 exploited in the wild  ·  2 remotely exploitable
12 driver type categories  ·  57 technique pages  ·  80+ AutoPiff detection rules
1,775 LOLDrivers analyzed  ·  354 Tier 2 Ghidra confirmed  ·  122 confirmed MapDriver candidates

Explore the data Interactive dashboard. Search, filter, and visualize all 147 CVEs. Heat matrix shows where the bugs cluster.

New to kernel exploitation Start with Driver Types to understand the landscape, then follow the pipeline left-to-right.

Researching a specific driver Jump to Case Studies and filter by driver name. Each CVE links back to relevant pipeline stages.

Building detection automation See how AutoPiff integrates with this knowledge base to detect vulnerability patterns at scale.

Writing or auditing a driver The 6 anti-patterns behind most kernel driver CVEs, with fixes, a checklist, and real CVE citations.

Data & Analysis

The pipeline above covers how kernel drivers get exploited. For a data-driven view of which drivers are most dangerous, see the Reference section — 1,775 LOLDrivers analyzed with automated Ghidra decompilation, scored for weaponisability, and mapped to KDU provider compatibility.