CVE-2022-29800

MEDIUM

Windows Defender for Endpoint - Time-of-check Time-of-use Race Condition

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-29800. PoCs published by ngtuonghung.

AI-analyzed exploit summary This exploit leverages CVE-2022-29800 (a symlink race condition in networkd-dispatcher) to achieve local privilege escalation by hijacking the D-Bus interface and manipulating symlinks to execute arbitrary payloads as root.

Description

A time-of-check-time-of-use (TOCTOU) race condition vulnerability was found in networkd-dispatcher. This flaw exists because there is a certain time between the scripts being discovered and them being run. An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root with ones that are not.

Exploits (1)

nomisec WORKING POC
by ngtuonghung · poc
https://github.com/ngtuonghung/nimbuspwn-CVE-2022-29800-CVE-2022-29799

This exploit leverages CVE-2022-29800 (a symlink race condition in networkd-dispatcher) to achieve local privilege escalation by hijacking the D-Bus interface and manipulating symlinks to execute arbitrary payloads as root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: networkd-dispatcher (versions prior to fix for CVE-2022-29800)
Auth required
Prerequisites: Local access to the target system · networkd-dispatcher installed and running · D-Bus system bus access
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 4.7
EPSS 0.0646
EPSS Percentile 92.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-367
Status published
Products (1)
microsoft/windows_defender_for_endpoint
Published Sep 21, 2022
Tracked Since Feb 18, 2026