CVE-2024-38107

What is the Windows Power Dependency Coordinator?

The Windows Power Dependency Coordinator (pdc.sys) is a kernel-mode driver that manages power state dependencies between system components — coordinating which devices and services must be active or suspended during power transitions (sleep, hibernate, wake). As a kernel driver, it runs with the highest system privilege and manages internal data structures representing device and process power state relationships. Use-after-free vulnerabilities in kernel drivers like PDC are exploitable because they corrupt kernel memory, providing attackers with read/write primitives that can be escalated to SYSTEM privilege.

Overview

CVE-2024-38107 is a use-after-free vulnerability in the Windows Power Dependency Coordinator kernel driver that allows a local, low-privileged attacker to escalate privileges to SYSTEM. Microsoft and CISA simultaneously disclosed this as a zero-day on August 13, 2024, as part of the August Patch Tuesday cluster that included five other zero-days. The straightforward Attack Complexity: Low rating (unlike CVE-2024-38106's race condition) means this vulnerability is reliably exploitable without timing-dependent techniques, making it particularly useful as a post-exploitation privilege escalation primitive.

Affected Versions

Technical Details

CWE-416 (Use-After-Free). The PDC driver allocates and frees kernel objects representing power dependency relationships between components. A flaw in the driver's lifecycle management causes a reference to a freed kernel object to remain accessible to user-space-triggered code paths. When the stale pointer is subsequently dereferenced — a condition that a local attacker can reliably trigger — the freed memory (potentially repurposed by the kernel allocator for another object) is read or written with kernel privileges. The typical exploitation sequence:

1. Trigger the use-after-free to achieve a controlled kernel write primitive.
2. Overwrite a kernel security token or process privilege structure for the attacker's process.
3. The attacker's process is now running with SYSTEM privileges.

Unlike race condition-based kernel exploits, use-after-free bugs with deterministic trigger conditions (AC:L) have high reliability in practice.

Discovery

Confirmed as a zero-day by Microsoft's simultaneous Patch Tuesday and CISA KEV addition. The August 2024 cluster of six Windows zero-days represents an unusually large number of simultaneously exploited kernel vulnerabilities, likely reflecting multiple independent threat actors or a single sophisticated actor with multiple exploit modules.

Exploitation Context

Windows kernel UAF privilege escalation bugs are reliably exploited as part of post-initial-access attack chains — the same context as CVE-2024-38106 (kernel race condition, same month) and CVE-2024-38193 (AFD.sys UAF, same month, used by North Korea's Lazarus Group). Having multiple concurrent kernel LPE zero-days available significantly reduces an attacker's risk: if one exploit is detected or patched, others remain available.

Remediation

1. Apply the August 2024 Windows security updates (Patch Tuesday, August 13, 2024) to all affected systems.
2. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) on supported hardware — these technologies significantly increase the difficulty of kernel exploitation by protecting kernel code integrity.
3. Monitor for unusual privilege changes or unexpected SYSTEM-level process creation following low-privilege execution.