CVE-2018-8406
published 2018-08-15CVE-2018-8406: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
3.44%
87.5th percentile
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8405.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_for_32-bit_systems | — | — |
| msrc | windows_10_for_x64-based_systems | — | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_10_version_1703_for_32-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2018-8406 (ZDI-18-947) is triggered via the D3DKMTRender API call into dxgmms2.sys; monitor for unprivileged processes invoking D3DKMTRender in a way that causes type confusion between two different adapters. ↗
- →Enable kernel special pool on dxgkrnl.sys and dxgmms2.sys to detect exploitation attempts; crashes in these drivers under special pool are a strong indicator of exploitation. ↗
- →The vulnerability requires local logon followed by execution of a specially crafted application; alert on low-privilege processes making unusual D3DKMT API calls that result in kernel crashes or privilege escalation to SYSTEM. ↗
- ·PoC reproduction requires a pre-August 2018 unpatched Windows 10 x64 system; patched systems are not vulnerable. ↗
- ·The vulnerability is in dxgmms2.sys specifically (not dxgkrnl.sys), though special pool must be set on both drivers to reliably trigger and observe the crash. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5999-mxm4-23g8: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8400 [HIGH] CWE-404 GHSA-5999-mxm4-23g8: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows 10 Servers, Windows 10. This CVE ID is unique from CVE-2018-8401, CVE-2018-8405, CVE-2018-8406.
GHSA
GHSA-4x9p-q533-qww3: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8401 [HIGH] CWE-404 GHSA-4x9p-q533-qww3: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8405, CVE-2018-8406.
GHSA
GHSA-mxvv-3vrg-ch3p: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8406 [HIGH] CWE-404 GHSA-mxvv-3vrg-ch3p: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8405.
GHSA
GHSA-87h6-m3qc-h3rx: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-8405 [HIGH] CWE-404 GHSA-87h6-m3qc-h3rx: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Gr
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8400, CVE-2018-8401, CVE-2018-8406.
VulnCheck
Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
vulncheck·2018·CVSS 7.8
CVE-2018-8406 [HIGH] CWE-404 Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.
Affected: Microsoft DirectX Graphics Kernel (DXGKRNL)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.africacybersecurityconference.com/document/CrowdStrike_GTR_2019.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
CISA
Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2018-8406 [HIGH] CWE-404 Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
Vulnerability: Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerability
Affected: Microsoft DirectX Graphics Kernel (DXGKRNL)
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-8406
Remediation Due Date: 2022-04-18
Microsoft
DirectX Graphics Kernel Elevation of Privilege Vulnerability
vendor_msrc·2018-08-14·CVSS 7.0
CVE-2018-8406 [HIGH] DirectX Graphics Kernel Elevation of Privilege Vulnerability
DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
The security update addresses the vulnerability by correcting how DXGKRNL handles objects in memory.
Microsoft Graphics Component: Microsoft Graphics Component
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:
No detection rules found.
No public exploits indexed.
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
## DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative Dec 04, 2018 Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favourites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well-written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
## DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative 2018/12/04 Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favorites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When Mic
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
# DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative
2018/12/04
Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favorites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When Mic
Trendmicro
DirectX to the Kernel
blogs_trendmicro·2018-12-04·CVSS 7.8
[HIGH] DirectX to the Kernel
## DirectX to the Kernel
Learn about DirectX to the kernel.
By: Zero Day Initiative Dec 04, 2018 Read time: ( words)
Save to Folio
The operating system kernel is the final goal for every great exploit chain. You can look at the entries in the Zero Day Initiative (ZDI) Pwn2Own contests over the years to see that process at work. The Windows kernel has been subject to many points of attack. One of my favorites is abuse of DeviceIoControl calls to various drivers since this allows access to so many drivers written by so many vendors, many of which are not all that well written or tested.
Over the years, most of the attacks to penetrate into the Windows kernel have gone through win32k.sys -- a kernel-mode device driver that controls the Windows graphic and window management system. When M
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
[HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Ausnutzung von Schwachstellen
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits y vulnerabilidades
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
# August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro
2018/08/15
Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373, a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174, another VBscript engine vulnerability that was patched back in May. Successful exploitation of this vulnerability could allow a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could al
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro 2018/08/15 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could allo
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
## Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
## Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that a
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
### Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that are rated "critical." Talos believ
Zscaler
Zscaler protects against 10 new vulnerabilities for Internet Explorer, Microsoft Windows, Microsoft Edge & ChakraCore. | Zscaler
blogs_zscaler·CVSS 7.5
[HIGH] Zscaler protects against 10 new vulnerabilities for Internet Explorer, Microsoft Windows, Microsoft Edge & ChakraCore. | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/105012http://www.securitytracker.com/id/1041461https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8406http://www.securityfocus.com/bid/105012http://www.securitytracker.com/id/1041461https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8406https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8406
2018-08-15
Published
2022-03-28
Added to CISA KEV
Exploited in the wild