CVE-2023-29336

HIGH KEV

Windows 10 1507 < 10.0.10240.19926 and 1607 < 10.0.14393.5921 - Use-After-Free in Win32k

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-29336 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 9, 2023. EIP tracks 3 public exploits from researchers including Milad karimi, m-cetin, numencyber.

AI-analyzed exploit summary This exploit leverages a Win32k elevation of privilege vulnerability (CVE-2023-29336) by manipulating menu structures and memory corruption to achieve token stealing, ultimately escalating privileges to SYSTEM. The code includes shellcode execution and memory manipulation techniques.

Description

Win32k Elevation of Privilege Vulnerability

Exploits (3)

exploitdb WORKING POC
by Milad karimi · clocalwindows
https://www.exploit-db.com/exploits/52301

This exploit leverages a Win32k elevation of privilege vulnerability (CVE-2023-29336) by manipulating menu structures and memory corruption to achieve token stealing, ultimately escalating privileges to SYSTEM. The code includes shellcode execution and memory manipulation techniques.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows Server 2016
No auth needed
Prerequisites: Local access to the target system · Win32k vulnerability exposure
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 21 stars
by m-cetin · local
https://github.com/m-cetin/CVE-2023-29336

This repository contains a functional proof-of-concept exploit for CVE-2023-29336, a Win32k local privilege escalation vulnerability. The exploit leverages memory corruption in the Win32k component to escalate privileges to SYSTEM by manipulating menu structures and kernel objects.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (Win32k.sys)
Auth required
Prerequisites: Local access to a vulnerable Windows system · User-level privileges
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by numencyber · local
https://github.com/numencyber/Vulnerability_PoC

The repository contains functional exploit code for multiple CVEs, including CVE-2023-29336, which demonstrates a network-based attack using crafted IPv6 ESP fragments. The PoC for CVE-2022-36537 includes a malicious JDBC driver that executes arbitrary commands, indicating a working exploit for RCE.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Multiple (e.g., Windows NDIS driver, MySQL JDBC, ZK Framework)
No auth needed
Prerequisites: Network access to target · Specific software versions vulnerable to the CVEs
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.7666
EPSS Percentile 99.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-05-09
VulnCheck KEV 2023-05-09
InTheWild.io 2023-05-09
ENISA EUVD EUVD-2023-32910
CWE
CWE-416
Status published
Products (7)
microsoft/windows_10_1507 < 10.0.10240.19926
microsoft/windows_10_1607 < 10.0.14393.5921
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016
Published May 09, 2023
KEV Added May 09, 2023
Tracked Since Feb 18, 2026