The vulnerability in vkrnlintvsp.sys (VkiRootAdjustSecurityDescriptorForVmwp()) stems from insufficient validation of the Dacl AclSize field in a Security Descriptor. Since this value is user-controlled, an attacker can trigger an integer overflow in the ExAllocatePool2() size calculation, leading to a heap-based buffer overflow , allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Sprays WNF objects to control heap layout. Calls NtCreateCrossVmEvent with a malicious Security Descriptor to overflow a heap buffer. Frees corrupted WNF objects and replaces them with IORING RegBuffers and PipeAttribute objects. Uses IORING RegBuffers to hijack pointers and gain arbitrary kernel R/W. Locates system EPROCESS and copies its token to the target process. Overwrites the current process token to gain SYSTEM privileges. Restores corrupted objects to avoid crashes.
CVE Link
Exploit Platform
Exploit Type
Product Name