CVE-2010-1889

HIGH

Windows Vista SP1-SP2 & Server 2008 Gold-SP2 - Local Privilege Escalation via Kernel Error

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1889. PoCs published by Tavis Ormandy.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in the Windows Kernel Transaction Manager (KTM) by reusing a transaction GUID, leading to an invalid free operation and potential arbitrary kernel code execution.

Description

Double free vulnerability in the kernel in Microsoft Windows Vista SP1 and SP2, and Windows Server 2008 Gold and SP2, allows local users to gain privileges via a crafted application, related to object initialization during error handling, aka "Windows Kernel Double Free Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Tavis Ormandy · textdoswindows
https://www.exploit-db.com/exploits/14667

This exploit demonstrates a privilege escalation vulnerability in the Windows Kernel Transaction Manager (KTM) by reusing a transaction GUID, leading to an invalid free operation and potential arbitrary kernel code execution.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Vista, Windows Server 2008
No auth needed
Prerequisites: Access to a vulnerable Windows system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-222A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11044

Scores

CVSS v3 7.8
EPSS 0.0197
EPSS Percentile 77.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-399
Status published
Products (2)
microsoft/windows_server_2008 (7 CPE variants)
microsoft/windows_vista (4 CPE variants)
Published Aug 11, 2010
Tracked Since Feb 18, 2026