CVE-2006-6797

Microsoft Windows XP - Denial of Service or Memory Disclosure via NtRaiseHardError

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6797. PoCs published by Ruben Santamarta.

AI-analyzed exploit summary This exploit targets a double-free vulnerability in Csrss.exe via NtRaiseHardError, leading to memory corruption in winsrv.dll. It attempts to overwrite controlled addresses and scan for heap chunks or data section overwrites.

Description

The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory from csrss.exe via crafted arguments to the NtRaiseHardError function with status 0x50000018, a different vulnerability than CVE-2006-6696.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ruben Santamarta · cdoswindows

https://www.exploit-db.com/exploits/3052

View Code ZIP pw:eip

This exploit targets a double-free vulnerability in Csrss.exe via NtRaiseHardError, leading to memory corruption in winsrv.dll. It attempts to overwrite controlled addresses and scan for heap chunks or data section overwrites.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Microsoft Windows XP SP2

No auth needed

Prerequisites: Windows XP SP2 environment · Access to user-mode execution

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14

Core References

Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp

http://www.securityfocus.com/archive/1/466331/100/200/threaded

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2013

Various Sources x_refsource_misc

http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=43

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1017454

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/31176

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/23491

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/740636

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-021

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/1325

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/5197

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/455365/100/0/threaded

Various Sources x_refsource_misc

http://www.reversemode.com/index.php?option=com_content&task=view&id=29&Itemid=2

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA07-100A.html

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/2086

Scores

EPSS 0.0679

EPSS Percentile 93.2%

Details

Status published

Products (1)

microsoft/windows_xp

Published Dec 28, 2006

Tracked Since Feb 18, 2026