⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-17087Incorrect Calculation of Buffer Size in Microsoft Windows 10 Version 1507

CWE-131Incorrect Calculation of Buffer SizeCWE-787Out-of-bounds WriteCWE-197Numeric Truncation ErrorCWE-269Improper Privilege ManagementCWE-681Incorrect Conversion between Numeric Types30 documents15 sources
Severity
7.8HIGHNVD
VulnCheck9.6VulnCheck8.8CISA9.6
EPSS
22.8%
top 4.11%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
22
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1803+19 more
Timeline
PublishedNov 11
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Windows Kernel Local Elevation of Privilege Vulnerability

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages22 packages

CVEListV5microsoft/windows_76.1.0publication
CVEListV5microsoft/windows_8.16.3.0publication
CVEListV5microsoft/windows_server_20126.2.0publication
CVEListV5microsoft/windows_server_201610.0.0publication
CVEListV5microsoft/windows_server_201910.0.0publication

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

8
GHSA
GHSA-frqf-hcmw-8jjf: Windows Kernel Local Elevation of Privilege Vulnerability2022-05-24
Project0
In-the-Wild Series: October 2020 0-day discovery - Project Zero2021-03-01
CVEList
Windows Kernel Local Elevation of Privilege Vulnerability2020-11-11
VulnCheck
Microsoft Windows Kernel Privilege Escalation Vulnerability2020
VulnCheck
Google Chrome FreeType Heap Buffer Overflow Vulnerability2020

📋Vendor Advisories

3
CISA
Microsoft Windows Kernel Privilege Escalation Vulnerability2021-11-03
CISA
Google Chrome FreeType Heap Buffer Overflow Vulnerability2021-11-03
Microsoft
Windows Kernel Local Elevation of Privilege Vulnerability2020-11-10

🕵️Threat Intelligence

15
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys2022-02-23
Qualys
January 2021 Patch Tuesday – 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe | Qualys2021-01-12
Qualys
January 2021 Patch Tuesday – 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe2021-01-12
Krebs
Patch Tuesday, November 2020 Edition2020-11-11
Trendmicro
November Patch Tuesday Fixes Exchange, NFS Vulns2020-11-11

📐Framework References

3
CWE
Incorrect Calculation of Buffer Size
CWE
Out-of-bounds Write
CWE
Numeric Truncation Error
CVE-2020-17087 — Incorrect Calculation of Buffer Size | cvebase