CVE-2020-17087

HIGH KEV

Windows Kernel - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-17087 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 5 public exploits from researchers including vp777, revengsh, raiden757.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2020-17087, a Windows kernel pool overflow vulnerability in the BCrypt library. The exploit leverages a non-paged pool overflow to achieve arbitrary read/write primitives and ultimately escalate privileges.

Description

Windows Kernel Local Elevation of Privilege Vulnerability

Exploits (5)

nomisec WORKING POC 258 stars
by vp777 · poc
https://github.com/vp777/Windows-Non-Paged-Pool-Overflow-Exploitation

This is a working proof-of-concept exploit for CVE-2020-17087, a Windows kernel pool overflow vulnerability in the BCrypt library. The exploit leverages a non-paged pool overflow to achieve arbitrary read/write primitives and ultimately escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 10 (1709+)
No auth needed
Prerequisites: Windows 10 (1709+) with vulnerable BCrypt library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by revengsh · dos
https://github.com/revengsh/CVE-2020-17087

This PoC demonstrates a buffer overflow vulnerability in BCryptSetContextFunctionProperty due to improper size handling, leading to a heap overflow in NonPagedPoolNx. The exploit triggers the vulnerability by passing a crafted buffer size that results in an undersized allocation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows Cryptography API (BCrypt.dll)
No auth needed
Prerequisites: Windows system with vulnerable BCrypt.dll
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by raiden757 · poc
https://github.com/raiden757/CVE-2020-17087

This is a proof-of-concept exploit for CVE-2020-17087, a Windows kernel vulnerability in the BCrypt component. The exploit leverages a heap overflow to achieve arbitrary read/write primitives, targeting the SegmentHeap to escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows 10 (1709+)
No auth needed
Prerequisites: Windows 10 (1709 or later) · Access to a vulnerable system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by hyunkk95 · local
https://gitlab.com/hyunkk95/cve-2020-17087

The repository contains a functional proof-of-concept exploit for CVE-2020-17087, a Windows kernel vulnerability in the CNG (Cryptography Next Generation) driver. The exploit demonstrates a heap-based buffer overflow via a maliciously crafted IOCTL request to the CNG device, leading to potential local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Kernel (CNG driver)
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.2041
EPSS Percentile 95.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-10-22
InTheWild.io 2020-10-22
ENISA EUVD EUVD-2020-9042
CWE
CWE-131
Status published
Products (21)
microsoft/windows_10_1507 (2 CPE variants)
microsoft/windows_10_1607 (2 CPE variants)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_10_1903 (3 CPE variants)
microsoft/windows_10_1909 (3 CPE variants)
microsoft/windows_10_2004 (3 CPE variants)
microsoft/windows_10_20h2 (2 CPE variants)
microsoft/windows_7
microsoft/windows_8.1
... and 11 more
Published Nov 11, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026