CVE-2024-26229

HIGH EXPLOITED

Windows CSC Service - Elevation of Privilege via Heap-based Buffer Overflow

Title source: llm

Exploitation Summary

CVE-2024-26229 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 8 public exploits from researchers including RalfHacker, Cracked5pider, apkc.

AI-analyzed exploit summary This is a functional local privilege escalation (LPE) exploit for CVE-2024-26229, targeting a Windows kernel vulnerability via DKOM (Direct Kernel Object Manipulation). It leverages NtFsControlFile to overwrite the EPROCESS token and achieve SYSTEM privileges.

Description

Windows CSC Service Elevation of Privilege Vulnerability

Exploits (8)

nomisec WORKING POC 140 stars

by RalfHacker · local

https://github.com/RalfHacker/CVE-2024-26229-exploit

View Code ZIP pw:eip

This is a functional local privilege escalation (LPE) exploit for CVE-2024-26229, targeting a Windows kernel vulnerability via DKOM (Direct Kernel Object Manipulation). It leverages NtFsControlFile to overwrite the EPROCESS token and achieve SYSTEM privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (pre-April 2024 patches)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to compile and execute C code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134 - Access Token Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 40 stars

by Cracked5pider · local

https://github.com/Cracked5pider/eop24-26229

View Code ZIP pw:eip

This repository contains a Firebeam plugin for exploiting CVE-2024-26229, a vulnerability in csc.sys that allows kernel R/W memory access to achieve local privilege escalation (LPE) by corrupting KTHREAD->PreviousMode and leveraging DKOM to copy the system process token.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows csc.sys (specific version not specified)

Auth required

Prerequisites: Low-privileged user access · Firebeam (kaine's RISC-V VM) plugin environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 27 stars

by apkc · local

https://github.com/apkc/CVE-2024-26229-BOF

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-26229, a Windows kernel vulnerability in the CSC driver. The exploit leverages arbitrary memory writes to achieve local privilege escalation (LPE) via token manipulation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 11 22H2 Build 22621 (CSC driver)

No auth needed

Prerequisites: Access to a vulnerable Windows 11 system · Ability to execute arbitrary code in user mode

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 12 stars

by team-MineDEV · poc

https://github.com/team-MineDEV/CVE-2024-26229

View Code ZIP pw:eip

The repository contains a README describing CVE-2024-26229, a Windows CSC service privilege escalation vulnerability involving a heap-based buffer overflow. No exploit code is provided, only a description and a claim of bypassing Kaspersky/Windows Defender.

Classification

Writeup 30%

Attack Type

Lpe

Complexity

Theoretical

Reliability

Theoretical

Target: Windows CSC Service (version not specified)

No auth needed

Prerequisites: Access to a vulnerable Windows system with CSC service

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by 0xGunrunner · local

https://github.com/0xGunrunner/CVE-2024-26229-BOF

View Code ZIP pw:eip

This repository contains a functional Beacon Object File (BOF) exploit for CVE-2024-26229, a Windows CSC driver local privilege escalation vulnerability. The exploit leverages DKOM (Direct Kernel Object Manipulation) to steal the SYSTEM token by corrupting KTHREAD->PreviousMode via a crafted IOCTL.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 / Server 2019 (Build 19041+)

No auth needed

Prerequisites: CSC driver enabled (Start = 1) · x64 architecture · specific kernel offsets for EPROCESS->Token and KTHREAD->PreviousMode

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 15, 2026 Full analysis →

nomisec WORKING POC

by vettrivel007 · client-side

https://github.com/vettrivel007/CVE-2024-26229

View Code ZIP pw:eip

This is a functional local privilege escalation (LPE) exploit for CVE-2024-26229 targeting Windows systems. It leverages a vulnerability in the CSC (Client-Side Caching) driver to manipulate kernel memory, ultimately stealing the SYSTEM token to elevate privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (specific version not specified)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to compile and execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec STUB

by mqxmm · poc

https://github.com/mqxmm/CVE-2024-26229

View Code ZIP pw:eip

The repository contains only a README.md file referencing another GitHub repository for CVE-2024-26229, with no actual exploit code or technical details provided.

Classification

Stub 10%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by dkstar11q · poc

https://github.com/dkstar11q/CVE-2024-26229-lpe

View Code ZIP pw:eip

This PoC exploits CVE-2024-26229, a vulnerability in the csc.sys driver on Windows 11 22H2, leveraging improper address validation in an IOCTL to achieve local privilege escalation (LPE) via DKOM (Direct Kernel Object Manipulation).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 11 22H2 (Build 22621) with csc.sys driver

No auth needed

Prerequisites: Access to a vulnerable Windows 11 22H2 system · Ability to execute arbitrary code in user mode

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26229

Scores

CVSS v3 7.8

EPSS 0.8559

EPSS Percentile 99.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-11-19

CWE

CWE-122

Status published

Products (15)

microsoft/windows_10_1507 < 10.0.10240.20596 (2 CPE variants)

microsoft/windows_10_1607 < 10.0.14393.6897 (2 CPE variants)

microsoft/windows_10_1809 < 10.0.17763.5696

microsoft/windows_10_21h2 < 10.0.19044.4291

microsoft/windows_10_22h2 < 10.0.19045.4291

microsoft/windows_11_21h2 < 10.0.22000.2899

microsoft/windows_11_22h2 < 10.0.22621.3447

microsoft/windows_11_23h2 < 10.0.22631.3447

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

... and 5 more

Published Apr 09, 2024

Tracked Since Feb 18, 2026