WindowsKernel

May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section "Trending VM" in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the "Trending VM" section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

The severity of the Elevation of Privilege - Windows Kernel (CVE-2024-30088) has increased. The vulnerability is fresh, it is from the June Microsoft Patch Tuesday. I highlighted it in the review because, according to the CVSS vector, there was a private Proof-of-Concept Exploit for it. But there were no details. It was only clear that in case of successful exploitation, the attacker gains SYSTEM privileges. According to the ZDI advisory, the vulnerability affects the implementation of NtQueryInformationToken and is due to the lack of proper locking when performing operations on the object.

On June 24, 2 weeks after the June Patch Tuesday, a repository with technical details on this vulnerability and PoC appeared on GitHub. A video of running the utility to obtain SYSTEM privileges is also available.

A lot of exploits have begun to appear for Windows EoP/LPE vulnerabilities recently. Fix them in advance!

На русском

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution - Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution - Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year's QueueJumper (CVE-2023-21554).
🔸 Denial of Service - DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege - Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft's CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution - Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It's enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution - Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution - Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker's Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let's wait for details. 😈
🔸 Remote Code Execution - Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском

First impressions of the March Microsoft Patch Tuesday

First impressions of the March Microsoft Patch Tuesday. So far I have not seen anything overtly critical. There are 80 vulnerabilities in total, including 20 added between the February and March MSPT.

With PoC there is only one:

🔻 Information Disclosure - runc (CVE-2024-21626). It allows an attacker to escape from the container. What does Microsoft have to do with it? The vulnerability has been fixed in Azure Kubernetes Service and CBL-Mariner (Microsoft's internal Linux distribution).

For the rest, there are no signs of active exploitation or the existence of a PoC yet.

We can pay attention to the following:

🔸 Elevation of Privilege - Windows Kernel (CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, CVE-2024-26182). Such vulnerabilities often become exploitable recently. The same applies to Elevation of Privilege - Windows Print Spooler (CVE-2024-21433).
🔸 Remote Code Execution - Open Management Infrastructure (OMI) (CVE-2024-21334). CVSS 9.8 and ZDI write that "it would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet". Perhaps such instances are indeed often accessible via the Internet, this requires research. 🤷‍♂️
🔸 Remote Code Execution - Windows Hyper-V (CVE-2024-21407). This "guest-to-host escape" vulnerability was highlighted by everyone: Qualys, Tenable, Rapid7, ZDI.
🔸 Remote Code Execution - Microsoft Exchange (CVE-2024-26198). This is a "DLL loading" vulnerability. The details are still unclear, but I wouldn’t be surprised if there will be a detailed write-up on it soon.

🗒 Vulristics report

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: WindowsKernel

May Microsoft Patch Tuesday

Trending vulnerabilities for June according to Positive Technologies

The severity of the Elevation of Privilege - Windows Kernel (CVE-2024-30088) has increased

June Microsoft Patch Tuesday

First impressions of the March Microsoft Patch Tuesday