Vulnerability Classes
Driver Type → Attack Surface → Vuln Class → Primitive → Case Study
Once attacker-controlled input reaches the kernel through an attack surface, the question becomes: what goes wrong? Vulnerability classes describe the category of bug — the specific failure in validation, memory management, or concurrency control that enables memory corruption or privilege boundary violation.
FIG_004 — Bug to Primitive Flow
Each trigger condition leads to a corruption type, which yields a specific exploitation primitive.
Categories
| Class | Description | Typical Primitive | Key CVEs |
|---|---|---|---|
| Buffer Overflow | Stack and heap buffer overflows | Pool Overflow, Pool Spray | CVE-2024-30085, CVE-2023-28252 |
| Integer Overflow | Integer overflow/underflow | Undersized alloc → Pool Overflow | CVE-2024-38063, CVE-2024-38054 |
| Type Confusion | Object type misinterpretation | Write-What-Where | CVE-2023-36802, CVE-2022-21882 |
| TOCTOU / Double-Fetch | Time-of-check-to-time-of-use | Depends on raced field (size → overflow, ptr → ARW) | CVE-2024-30088, CVE-2024-38106 |
| Use-After-Free | Dangling pointer dereference | Pool Spray reclaim | CVE-2024-38193, CVE-2023-29336 |
| Race Conditions | Concurrency and synchronization | UAF, double-free, state corruption | CVE-2024-38106, CVE-2024-30089 |
| Uninitialized Memory | Kernel memory disclosure | KASLR bypass via leaked pointers | CVE-2023-32019, CVE-2024-38256 |
| Arbitrary R/W Primitives | Patterns yielding arb R/W | Direct IOCTL R/W | CVE-2024-21338, CVE-2023-21768 |
| NULL Deref | NULL pointer dereference | DoS (BSOD), legacy code exec | CVE-2024-35250 |
| Logic Bugs | Design-level logic errors | Direct privilege escalation | CVE-2024-26229, CVE-2024-21302 |