cbcvebase.
CVE-2020-0642
published 2020-01-14

CVE-2020-0642: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
1.50%
71.0th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0624.

Affected

68 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

commandSendMessage(hChild, WM_LBUTTONDOWN, 0, 0)
  • Exploit manipulates the KernelCallbackTable entries (index 2 and 3) in the PEB by calling VirtualProtect with PAGE_EXECUTE_READWRITE and then swapping function pointers via InterlockedExchangePointer — monitor for user-mode processes modifying KernelCallbackTable pointers.
  • Exploit triggers the vulnerability by sending WM_LBUTTONDOWN to a ScrollBar child window while a parent window is destroyed mid-callback (use-after-free pattern) — look for DestroyWindow called from within a KernelCallbackTable hook during message processing.
  • Exploit creates two ScrollBar class windows (one parent, one child with WS_VISIBLE) as the setup for the Win32k object mishandling — creation of ScrollBar windows followed immediately by DestroyWindow in a callback context is suspicious.
  • Exploit calls ExitThread(0) from within the hooked KernelCallbackTable[3] (CCI3) to abort execution after the race condition is triggered — abrupt thread termination from within a kernel callback hook is a strong behavioral indicator.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.