A critical Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.
The vulnerability stems from an integer overflow or wraparound in the Windows Registry, potentially allowing attackers to execute arbitrary code with elevated privileges.
Specifically vulnerable are x64 and ARM64-based systems, as well as some 32-bit systems running Windows versions from Server 2008 to Server 2025 and Windows 10 to Windows 11.
The discovery of this vulnerability class, termed “False File Immutability” (FFI), is attributed to Gabriel Landau’s recent research presented at BlueHat IL 2024 and REcon Montreal 2024.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
FFI occurs when code assumes files cannot be modified because they were opened without FILE_SHARE_WRITE. However, in certain scenarios, attackers can modify files even when write sharing is denied, leading to double-read vulnerabilities.
PoC Exploit Released – CVE-2024-43641
The exploit leverages a design oversight in Windows registry hive memory management. During the loading of registry hives, under specific memory pressure conditions, it’s possible for the same memory pages to be fetched, evicted, and re-read from the underlying medium.
This creates a security issue where a malicious SMB server could respond with different data on both requests, potentially breaking the kernel’s assumptions.
Mateusz Jurczyk of Google Project Zero, who shared the PoC, demonstrated the exploit using a Linux-based SMB server running Python scripts to manipulate the hive file. The PoC successfully worked on Windows 11 23H2 with the July 2024 patches installed.
To reproduce the vulnerability, researchers used a test environment with a Windows 11 VM (4 GB RAM) and a separate Linux VM running a Python-based SMB server.
The exploit involves preparing a large hive file (around 900 MB), creating memory pressure, and using a malicious SMB server to replace hive data in consecutive read requests.
The vulnerability exploits the bin header structure layout in the Windows Registry, allowing an attacker to set a controlled number of bits to 1 at a controlled out-of-bounds offset relative to an arbitrarily sized buffer. This results in a powerful memory corruption primitive[5].
Microsoft has acknowledged the vulnerability and released KB5036980 Preview with one of the suggested fixes. The fix reached general availability for Windows 11 23H2 as KB5037771, although testing on other platforms remains pending[4].
As always, users and system administrators are advised to apply the latest security updates and remain vigilant against potential exploits. The cybersecurity community continues to monitor the situation for any signs of active exploitation in the wild.