CVE-2023-36802

HIGH KEV

Microsoft Streaming Service Proxy - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2023-36802 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 12, 2023. EIP tracks 5 public exploits from researchers including chompie1337, Nero22k, x0rb3l.

AI-analyzed exploit summary This repository contains a functional local privilege escalation (LPE) exploit for CVE-2023-36802, targeting the Microsoft Kernel Streaming Service (MSKSSRV) on Windows 11 22H2. The exploit leverages I/O Ring primitives to achieve SYSTEM privileges by manipulating kernel memory structures.

Description

Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

Exploits (5)

nomisec WORKING POC 167 stars

by chompie1337 · local

https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2023-36802, targeting the Microsoft Kernel Streaming Service (MSKSSRV) on Windows 11 22H2. The exploit leverages I/O Ring primitives to achieve SYSTEM privileges by manipulating kernel memory structures.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows 11 22H2 (MSKSSRV)

Auth required

Prerequisites: Local access to a vulnerable Windows 11 22H2 system · Process ID of the target process to elevate

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 112 stars

by Nero22k · local

https://github.com/Nero22k/cve-2023-36802

View Code ZIP pw:eip

This exploit targets CVE-2023-36802, a vulnerability in Windows 10/11, leveraging object address leakage and pipe spraying to achieve local privilege escalation. The code includes functions for memory manipulation and kernel object interaction.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows 10/11

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 36 stars

by x0rb3l · local

https://github.com/x0rb3l/CVE-2023-36802-MSKSSRV-LPE

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2023-36802, targeting a type confusion vulnerability in the Microsoft Kernel Streaming Service Proxy (MSKSSRV.sys) to achieve local privilege escalation (LPE) on Windows 11 22H2. The exploit leverages pipe spraying and kernel object manipulation to escalate privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows 11 22H2 (MSKSSRV.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows 11 22H2 system · Ability to execute arbitrary code with low privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 14 stars

by 4zur-0312 · local

https://github.com/4zur-0312/CVE-2023-36802

View Code ZIP pw:eip

This exploit leverages CVE-2023-36802, a Windows kernel vulnerability, to achieve local privilege escalation (LPE) by manipulating kernel objects and token structures. It uses pool spraying and race conditions to overwrite critical kernel memory, ultimately replacing the current process token with the SYSTEM token.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows (kernel)

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by rahul0xkr · local

https://github.com/rahul0xkr/Reproducing-CVE-2023-36802

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-36802, targeting a Windows kernel vulnerability via io_uring operations. The exploit involves spraying non-paged pool memory and manipulating kernel objects to achieve local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows Kernel (specific version not specified)

No auth needed

Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36802

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802

Scores

CVSS v3 7.8

EPSS 0.2610

EPSS Percentile 97.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-09-12

VulnCheck KEV 2023-09-12

InTheWild.io 2023-09-12

ENISA EUVD EUVD-2023-40740

CWE

CWE-416

Status published

Products (7)

microsoft/windows_10_1809 < 10.0.17763.4851 (3 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.3448

microsoft/windows_10_22h2 < 10.0.19045.3448

microsoft/windows_11_21h2 < 10.0.22000.2416

microsoft/windows_11_22h2 < 10.0.22621.2275

microsoft/windows_server_2019 < 10.0.17763.4851

microsoft/windows_server_2022 < 10.0.20348.1970

Published Sep 12, 2023

KEV Added Sep 12, 2023

Tracked Since Feb 18, 2026