CVE-2020-17086

HIGH

Raw Image Extension < 1.0.32861.0 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-17086. PoCs published by T81oub.

AI-analyzed exploit summary This PoC exploits a heap-based buffer overflow in the Windows CNG (Cryptography Next Generation) driver via a malformed IOCTL request, leading to a potential local privilege escalation (LPE). The overflow occurs due to an integer truncation when calculating buffer size, allowing controlled heap corruption.

Description

Raw Image Extension Remote Code Execution Vulnerability

Exploits (1)

nomisec WORKING POC
by T81oub · poc
https://github.com/T81oub/CVE-2020-17086

This PoC exploits a heap-based buffer overflow in the Windows CNG (Cryptography Next Generation) driver via a malformed IOCTL request, leading to a potential local privilege escalation (LPE). The overflow occurs due to an integer truncation when calculating buffer size, allowing controlled heap corruption.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows CNG driver (affected versions include Windows 10 and Windows Server 2019)
No auth needed
Prerequisites: Local access to the target system · Ability to execute arbitrary code on the target
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0426
EPSS Percentile 89.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
microsoft/raw_image_extension < 1.0.32861.0
Published Nov 11, 2020
Tracked Since Feb 18, 2026