CVE-2024-38106

What is the Windows Kernel?

The Windows NT kernel (ntoskrnl.exe) is the core of the Windows operating system, managing memory, processes, threads, I/O, and hardware abstraction for all user-mode and kernel-mode components. It runs with the highest privilege level on the system (Ring 0) and has direct access to all hardware and memory. Local privilege escalation vulnerabilities in the Windows kernel allow an attacker who already has code execution at a limited privilege level to elevate to SYSTEM — the highest privilege level — by exploiting flaws in how the kernel manages concurrent access to sensitive data structures.

Overview

CVE-2024-38106 is a race condition vulnerability in the Windows kernel that allows a local, low-privileged attacker to escalate privileges to SYSTEM by winning a timing-dependent race condition in a kernel code path. Microsoft and CISA simultaneously disclosed this as a zero-day on August 13, 2024, with the same-day KEV addition confirming active in-the-wild exploitation as part of the August 2024 Patch Tuesday zero-day cluster. The CVSS Attack Complexity is High (AC:H) due to the race condition requirement, but exploit developers routinely loop the race hundreds or thousands of times per second to achieve reliable exploitation.

Affected Versions

Technical Details

CWE-591 (Sensitive Data Storage in Improperly Locked Memory). Race conditions in the Windows kernel occur when multiple threads or concurrent execution paths access shared kernel data structures without proper synchronization. An attacker who can trigger a specific kernel operation from user space multiple times simultaneously can cause a time-of-check/time-of-use (TOCTOU) condition — where the kernel checks a security-relevant value, then the attacker races to modify it before the kernel acts on it, causing the kernel to operate on attacker-controlled data with elevated trust.

Winning the race escalates the attacker's process token or access privileges to SYSTEM level, enabling: credential theft from LSASS, disabling security software, installing kernel-mode drivers, or completing any action that requires SYSTEM privilege.

Discovery

Confirmed as a zero-day by Microsoft's simultaneous Patch Tuesday and CISA KEV addition on August 13, 2024. The August 2024 Patch Tuesday was notable for patching six zero-days simultaneously, including CVE-2024-38107, CVE-2024-38178, CVE-2024-38189, and CVE-2024-38193 — some of which were used by North Korean APTs in the same period.

Exploitation Context

Windows kernel privilege escalation zero-days are exploited as the second stage in multi-step attack chains: after initial access via a browser exploit, phishing, or web application compromise, the kernel LPE completes the privilege escalation to SYSTEM. The August 2024 cluster of Windows zero-days coincided with the Citrine Sleet / Lazarus Group campaign using Chrome V8 exploits (CVE-2024-7971, CVE-2024-7965) combined with Windows kernel privilege escalation for full OS compromise.

Remediation

1. Apply the August 2024 Windows security updates (Patch Tuesday, August 13, 2024) to all affected systems.
2. Prioritize patching internet-facing systems and any systems that handle sensitive data, as kernel LPE is most impactful when combined with an initial access vulnerability.
3. Enable Windows Defender Credential Guard and virtualization-based security (VBS) to limit the impact of SYSTEM-level access on credential theft.