CVE-2024-35250

HIGH KEV

Windows Kernel-Mode Driver - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2024-35250 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 16, 2024. EIP tracks 7 public exploits from researchers including yinsel, ro0tmylove, CrackerCat, including a Metasploit module exploits/windows/local/cve_2024_35250_ks_driver.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-35250, leveraging an untrusted pointer dereference (CWE-822) to achieve arbitrary read/write operations in kernel memory. The code includes helper functions for kernel object pointer retrieval, bitmap allocation, and process creation from a handle, targeting Windows 10/11 environments.

Description

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Exploits (7)

nomisec WORKING POC 24 stars

by yinsel · local

https://github.com/yinsel/CVE-2024-35250-BOF

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-35250, leveraging an untrusted pointer dereference (CWE-822) to achieve arbitrary read/write operations in kernel memory. The code includes helper functions for kernel object pointer retrieval, bitmap allocation, and process creation from a handle, targeting Windows 10/11 environments.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 20h2 Build 19042, Windows 11 22h2 Build 22621

Auth required

Prerequisites: Medium Integrity Level access · VMWare Workstation 17 Pro environment (Hyper-V not supported)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 15 stars

by ro0tmylove · local

https://github.com/ro0tmylove/CVE-2024-35250-BOF

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-35250, leveraging an untrusted pointer dereference (CWE-822) in Windows kernel-mode drivers. The exploit includes arbitrary read/write primitives, kernel object pointer leakage, and process creation via handle manipulation, targeting Windows 10/11 and VMWare Workstation 17 Pro.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Kernel (ntoskrnl.exe) on Windows 10/11

Auth required

Prerequisites: Medium Integrity Level access · VMWare Workstation 17 Pro environment (Hyper-V unsupported)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 8 stars

by CrackerCat · poc

https://github.com/CrackerCat/CVE-2024-35250

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-35250, targeting an untrusted pointer dereference vulnerability (CWE-822) in Windows systems. The code demonstrates arbitrary read/write operations and process creation via handle manipulation, with specific targeting for Windows 11/10 and VMWare environments.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 11 22h2 Build 22621, Windows 10 20h2 Build 19042

Auth required

Prerequisites: Medium Integrity Level access · VMWare Workstation 17 Pro environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by 0xROOTPLS · local

https://github.com/0xROOTPLS/GiveMeKernel

View Code ZIP pw:eip

The repository contains a functional proof-of-concept exploit for CVE-2024-35250, targeting a Windows kernel vulnerability. The exploit leverages kernel object manipulation and arbitrary function calls to achieve local privilege escalation (LPE) by modifying token privileges or previous mode settings.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows Kernel (versions 10.0.10240 – 10.0.25398)

No auth needed

Prerequisites: Windows system with vulnerable kernel version · Local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by xvalegendary · local

https://github.com/xvalegendary/HVCIPwned

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-35250, a local privilege escalation vulnerability in the Windows Kernel Streaming driver (ks.sys) due to an untrusted pointer dereference. The exploit bypasses HVCI by manipulating kernel data structures to achieve arbitrary read/write and token swapping.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 20H1+ / Windows 11 21H2-23H2 (ks.sys)

No auth needed

Prerequisites: Vulnerable Windows system (unpatched) · Audio device with KS filter

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 28, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by AngelBoy, varwara, jheysel-r7 · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2024_35250_ks_driver.rb

View Code ZIP pw:eip

This Metasploit module exploits a local privilege escalation vulnerability in the Windows ks.sys driver due to an access mode mismatch. It targets Windows 10, 11, and Server 2016-2022 by injecting a malicious DLL into a notepad process to achieve SYSTEM privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows ks.sys driver (Windows 10, 11, Server 2016-2022)

Auth required

Prerequisites: Local access to a vulnerable Windows system · x64 architecture · Presence of ks.sys driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

patchapalooza WORKING POC

by zsxen · dos

https://github.com/zsxen/WHS3-KernelPanic

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2024-35250, demonstrating a kernel-level vulnerability in Windows. The PoC leverages kernel handle manipulation and memory corruption to achieve privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Kernel (ntoskrnl.exe)

No auth needed

Prerequisites: Windows system with vulnerable kernel · ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-35250

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35250

Scores

CVSS v3 7.8

EPSS 0.5491

EPSS Percentile 98.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-12-16

VulnCheck KEV 2024-12-16

InTheWild.io 2024-12-16

ENISA EUVD EUVD-2024-35761

CWE

CWE-822

Status published

Products (16)

microsoft/windows_10_1507 < 10.0.10240.20680

microsoft/windows_10_1607 < 10.0.14393.7070

microsoft/windows_10_1809 < 10.0.17763.5936

microsoft/windows_10_21h2 < 10.0.19044.4529

microsoft/windows_10_22h2 < 10.0.19045.4529

microsoft/windows_11_21h2 < 10.0.22000.3019

microsoft/windows_11_22h2 < 10.0.22621.3737

microsoft/windows_11_23h2 < 10.0.22631.3737

microsoft/windows_server_2008 (2 CPE variants)

microsoft/windows_server_2008 r2 sp1

... and 6 more

Published Jun 11, 2024

KEV Added Dec 16, 2024

Tracked Since Feb 18, 2026