cbcvebase.
CVE-2018-8406
published 2018-08-15

CVE-2018-8406: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
3.44%
87.5th percentile
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8405.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_servers
microsoftwindows_10_servers
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_for_32-bit_systems
msrcwindows_10_for_x64-based_systems
msrcwindows_10_version_1607_for_32-bit_systems
msrcwindows_10_version_1607_for_x64-based_systems
msrcwindows_10_version_1703_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

processdxgmms2.sys
processdxgkrnl.sys
commandD3DKMTRender
  • CVE-2018-8406 (ZDI-18-947) is triggered via the D3DKMTRender API call into dxgmms2.sys; monitor for unprivileged processes invoking D3DKMTRender in a way that causes type confusion between two different adapters.
  • Enable kernel special pool on dxgkrnl.sys and dxgmms2.sys to detect exploitation attempts; crashes in these drivers under special pool are a strong indicator of exploitation.
  • The vulnerability requires local logon followed by execution of a specially crafted application; alert on low-privilege processes making unusual D3DKMT API calls that result in kernel crashes or privilege escalation to SYSTEM.
  • ·PoC reproduction requires a pre-August 2018 unpatched Windows 10 x64 system; patched systems are not vulnerable.
  • ·The vulnerability is in dxgmms2.sys specifically (not dxgkrnl.sys), though special pool must be set on both drivers to reliably trigger and observe the crash.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.