CVE-2010-1888

Windows XP SP3 - Local Privilege Escalation via Thread Creation Race Condition

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1888. PoCs published by Tavis Ormandy.

AI-analyzed exploit summary This exploit leverages a race condition in the Windows kernel's NtCreateThread function to restore an illegal execution state, potentially allowing unprivileged users to execute arbitrary code with kernel privileges. The PoC demonstrates the vulnerability by setting an invalid code segment (SegCs) and repeatedly calling NtCreateThread to trigger the race condition.

Description

Race condition in the kernel in Microsoft Windows XP SP3 allows local users to gain privileges via vectors involving thread creation, aka "Windows Kernel Data Initialization Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Tavis Ormandy · textdoswindows
https://www.exploit-db.com/exploits/14666

This exploit leverages a race condition in the Windows kernel's NtCreateThread function to restore an illegal execution state, potentially allowing unprivileged users to execute arbitrary code with kernel privileges. The PoC demonstrates the vulnerability by setting an invalid code segment (SegCs) and repeatedly calling NtCreateThread to trigger the race condition.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Microsoft Windows XP (Service Pack 3)
No auth needed
Prerequisites: Access to a vulnerable Windows XP system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-222A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11825

Scores

EPSS 0.0249
EPSS Percentile 82.6%

Details

CWE
CWE-362
Status published
Products (1)
microsoft/windows_xp
Published Aug 11, 2010
Tracked Since Feb 18, 2026