CVE-2024-35250

What is the Windows Kernel Streaming Service?

The Windows Kernel Streaming Service (ks.sys) is a kernel-mode driver that provides a framework for streaming audio and video data between hardware devices (sound cards, webcams, capture cards) and applications. It manages internal data structures called filter graphs and pins that represent streaming pipelines and exposes an IOCTL interface that allows user-mode applications to configure and control the streaming pipeline. Because ks.sys is accessible from any user-mode process that opens a streaming device, it represents a broad attack surface for local privilege escalation.

Overview

CVE-2024-35250 is an untrusted pointer dereference vulnerability in the Windows Kernel Streaming Service driver (ks.sys) that allows a local, low-privileged attacker to escalate to SYSTEM. The vulnerability was discovered and demonstrated by the DEVCORE research team at Pwn2Own Vancouver 2024. Microsoft patched it in June 2024 Patch Tuesday; CISA added it to the KEV catalog in December 2024 — six months after the patch — confirming that threat actors exploited the publicly-known vulnerability against unpatched systems.

Affected Versions

Technical Details

CWE-822 (Untrusted Pointer Dereference). The ks.sys driver processes IOCTL requests from user-mode applications, including requests that pass data structures containing embedded pointers. A flaw in the driver's validation logic allows a user-mode caller to supply a crafted structure with an attacker-controlled pointer value. When the driver dereferences this pointer without adequate validation, the kernel reads from or writes to an arbitrary memory address chosen by the attacker.

The typical exploitation path: send a crafted IOCTL to ks.sys with an embedded pointer to a controlled kernel address → trigger the untrusted dereference → achieve a read or write primitive → use the primitive to overwrite the calling process's security token with SYSTEM-level privileges. The Low Attack Complexity (AC:L) rating indicates the exploit is reliable without requiring timing or race conditions — the untrusted pointer can be directly specified in the IOCTL payload.

DEVCORE demonstrated this vulnerability as part of a local privilege escalation chain at Pwn2Own, which typically involves combining it with a preceding step that places a malicious binary on the system.

Discovery

Discovered by DEVCORE security researchers and demonstrated at Pwn2Own Vancouver 2024. DEVCORE is a Taiwanese security research firm known for chaining multiple vulnerabilities into complete intrusion scenarios; their Pwn2Own submission likely combined CVE-2024-35250 with an initial code execution bug to achieve a complete local privilege escalation chain.

Exploitation Context

Pwn2Own demonstrations are a reliable signal that a vulnerability is both fully exploitable and will eventually appear in the wild — the research is thorough and public details surface after the competition. The six-month delay from June patch to December KEV addition is consistent with a pattern where threat actors wait for a PoC or detailed write-up to emerge post-patch, then weaponize it against enterprises that have not applied the update. The absence of ransomware use in the CISA catalog entry may reflect that exploitation was detected in targeted intrusion campaigns rather than mass ransomware deployments.

Remediation

1. Apply the June 2024 Windows security updates (Patch Tuesday, June 11, 2024) to all affected systems — prioritize any Windows system that has not received security updates since May 2024.
2. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) to increase the difficulty of kernel driver exploitation.
3. Consider restricting access to streaming device IOCTLs via application control policies if kernel streaming functionality is not required on high-value systems (servers, admin workstations).
4. Monitor for unusual process privilege changes or unexpected SYSTEM-level processes created from low-privilege user sessions.