CVE-2023-36407

HIGH

Windows Hyper-V - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-36407. PoCs published by pwndorei, zha0.

AI-analyzed exploit summary This PoC exploits CVE-2023-36407, a Hyper-V Elevation of Privilege vulnerability, by triggering an out-of-bounds write in the `winhvr.sys!WinHvSetVpState` function via a maliciously crafted `DeviceIoControl` call, leading to a BSOD due to non-paged pool corruption.

Description

Windows Hyper-V Elevation of Privilege Vulnerability

Exploits (2)

nomisec WORKING POC 1 stars

by pwndorei · poc

https://github.com/pwndorei/CVE-2023-36407

View Code ZIP pw:eip

This PoC exploits CVE-2023-36407, a Hyper-V Elevation of Privilege vulnerability, by triggering an out-of-bounds write in the `winhvr.sys!WinHvSetVpState` function via a maliciously crafted `DeviceIoControl` call, leading to a BSOD due to non-paged pool corruption.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Hyper-V on Windows 11 22H2 x64 (pre-kb5031354)

Auth required

Prerequisites: Hyper-V enabled · Local access to the Hyper-V host · Unpatched system (pre-kb5031354)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by zha0 · poc

https://github.com/zha0/CVE-2023-36407

View Code ZIP pw:eip

This PoC exploits CVE-2023-36407 by injecting a DLL into a target process to trigger an out-of-bounds write via DeviceIoControl. The exploit leverages a vulnerable driver to achieve local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: QEMU (specific version not specified)

No auth needed

Prerequisites: Access to a vulnerable QEMU process · Ability to inject DLL into the target process

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1106 - Native API

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36407

Scores

CVSS v3 7.8

EPSS 0.0173

EPSS Percentile 74.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (5)

microsoft/windows_11_21h2 < 10.0.22000.2600

microsoft/windows_11_22h2 < 10.0.22621.2715

microsoft/windows_11_23h2 < 10.0.22631.2715

microsoft/windows_server_2022

microsoft/windows_server_2022_23h2 < 10.0.25398.531

Published Nov 14, 2023

Tracked Since Feb 18, 2026