CVE-2010-4398

HIGH KEV

Microsoft Windows - Stack-based Buffer Overflow in RtlQueryRegistryValues via Crafted REG_BINARY Value

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-4398 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022. EIP tracks 1 public exploit from researchers including noobpwnftw.

AI-analyzed exploit summary This entry describes a design flaw in the Windows Kernel API (RtlQueryRegistryValues) that can lead to privilege escalation. The provided PoC (available via a mirror link) demonstrates arbitrary kernel mode code execution, though it may cause BSOD on unsupported kernels.

Description

Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges, and bypass the User Account Control (UAC) feature, via a crafted REG_BINARY value for a SystemDefaultEUDCFont registry key, aka "Driver Improper Interaction with Windows Kernel Vulnerability."

Exploits (1)

exploitdb WRITEUP VERIFIED
by noobpwnftw · textlocalwindows
https://www.exploit-db.com/exploits/15609

This entry describes a design flaw in the Windows Kernel API (RtlQueryRegistryValues) that can lead to privilege escalation. The provided PoC (available via a mirror link) demonstrates arbitrary kernel mode code execution, though it may cause BSOD on unsupported kernels.

Classification
Writeup 80%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Windows Vista/2008 (6.1.6000, 6.1.6001), Windows 7/2008 R2 (6.2.7600) x32/x64
Auth required
Prerequisites: User-level access on a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (14)

Core 14
Core References
Exploit, Issue Tracking x_refsource_misc
http://isc.sans.edu/diary.html?storyid=9988
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/45045
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15609/
Third Party Advisory x_refsource_confirm
http://support.avaya.com/css/P8/documents/100127248
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0324
Broken Link, Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-011
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1025046
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/529673
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42356

Scores

CVSS v3 7.8
EPSS 0.0775
EPSS Percentile 92.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2016-04-01
InTheWild.io 2022-03-28
ENISA EUVD EUVD-2010-4367
CWE
CWE-787
Status published
Products (6)
microsoft/windows_7
microsoft/windows_server_2003
microsoft/windows_server_2008 (2 CPE variants)
microsoft/windows_server_2008 r2
microsoft/windows_vista (2 CPE variants)
microsoft/windows_xp (2 CPE variants)
Published Dec 06, 2010
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026