CVE-2023-21674

What is Windows ALPC?

Advanced Local Procedure Call (ALPC) is Windows' high-performance kernel-level inter-process communication (IPC) mechanism used extensively throughout the Windows operating system. ALPC enables processes at different privilege levels to exchange messages, transfer data, and call into system services. Browser renderer processes — which run in a low-privilege sandbox — communicate with higher-privileged Windows services via ALPC calls; applications call into kernel subsystems via ALPC; and security-sensitive operations like process token manipulation go through ALPC-connected services. This privileged communication role makes ALPC vulnerabilities highly valuable as sandbox escape primitives: an attacker who achieves code execution in a sandboxed process (e.g., a browser renderer) can use an ALPC use-after-free to break out of the sandbox and escalate to kernel-level SYSTEM privileges.

Overview

CVE-2023-21674 is a use-after-free vulnerability (CWE-416) in the Windows ALPC subsystem that allows a local attacker with standard user privileges to escalate to SYSTEM, breaking out of sandboxed execution environments. It was patched in the January 2023 Patch Tuesday as an actively exploited zero-day — simultaneously added to the CISA KEV catalog on January 10, 2023. The vulnerability was discovered by Avast Threat Intelligence researchers (Jan Vojtěšek, Milánek, and Luigino Camastra).

The CVSS score of 8.8 and the S:C (scope changed) metric reflect that successful exploitation breaks the sandbox boundary — a particularly high-value capability. CVE-2023-21674 was almost certainly deployed as the second stage in chained browser exploit chains, providing the privilege escalation needed to fully compromise a system after initial code execution in a sandboxed renderer process.

Affected Versions

Technical Details

A use-after-free (CWE-416) in the ALPC kernel subsystem occurs when an ALPC port object or message is freed from kernel heap memory while a reference or pointer to it remains accessible. The race or ordering condition allows an attacker to:

1. Create an ALPC port — establish a connection to a Windows ALPC service that exercises the vulnerable code path
2. Free the ALPC object — trigger the kernel to free the underlying kernel heap object (via a specific sequence of ALPC API calls or concurrent operations)
3. Reclaim freed memory — cause a separate kernel allocation to occupy the freed memory with attacker-controlled data
4. Use the dangling pointer — when the kernel accesses the freed object through the stale pointer, it operates on the attacker-controlled data — enabling overwriting of kernel control structures, process security tokens, or function pointers to achieve SYSTEM privileges

The S:C scope change is the critical aspect: an attacker starting in a browser renderer sandbox (which restricts Win32 API access and runs at low integrity) can send ALPC messages to the vulnerable kernel code path through the constrained sandbox channel, achieving kernel-level code execution outside the sandbox.

Discovery

Avast Threat Intelligence researchers (Jan Vojtěšek, Milánek, and Luigino Camastra) discovered CVE-2023-21674 being actively exploited in the wild and reported it to Microsoft. The simultaneous KEV addition on Patch Tuesday confirms the zero-day designation — attackers had already weaponized this vulnerability before Microsoft released the patch.

Exploitation Context

ALPC privilege escalation vulnerabilities are preferred by advanced threat actors for sandbox escape because:

• ALPC is a fundamental Windows IPC mechanism accessible even from low-privilege sandboxed processes
• ALPC UAF exploits can achieve kernel code execution without relying on browser-specific primitives that may be patched or mitigated
• The exploit bypasses common mitigations including DEP, ASLR, and Control Flow Guard when combined with kernel information leak techniques

In a typical deployment chain, CVE-2023-21674 would be used after initial code execution in a browser renderer sandbox — e.g., after exploiting a V8 type confusion or WebKit UAF — to escalate to SYSTEM, disable EDR agents, dump LSASS credentials, or install persistent malware. The January 2023 timing coincides with sustained browser exploit chain activity across Chrome, Edge, and WebKit zero-days in late 2022 and early 2023.

Remediation

1. Apply the January 2023 Windows cumulative update — patches CVE-2023-21674 in all affected Windows versions.
2. Maintain monthly Windows patching — ALPC vulnerabilities recur; the January 2023 update also fixes a range of other privilege escalation issues patched in the same cycle.
3. Deploy endpoint detection for LPE behavioral patterns — detecting unprivileged processes spawning SYSTEM-privileged children, unexpected privilege token manipulation, or low-integrity processes making unusual kernel calls provides a behavioral signal of ALPC-based sandbox escapes.
4. Enable Microsoft Defender Attack Surface Reduction (ASR) rules — rules that block browser child processes and code injection limit the blast radius of exploit chains that use browser renderers as the initial foothold.