CVE-2023-29336
published 2023-05-09CVE-2023-29336: Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-05-30
Exploited in the wild
EPSS
40.92%
98.5th percentile
Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_version_1507 | >= 10.0.10240.0 < 10.0.10240.19926 | 10.0.10240.19926 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.5921 | 10.0.14393.5921 |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.7601.0 < 6.1.7601.26519 | 6.1.7601.26519 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.22070 | 6.0.6003.22070 |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.24266 | 6.2.9200.24266 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.20969 | 6.3.9600.20969 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.5921 | 10.0.14393.5921 |
| msrc | windows_10_for_32-bit_systems | — | — |
| msrc | windows_10_for_x64-based_systems | — | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3
- →CVE-2023-29336 is a Win32k kernel-mode driver local elevation of privilege vulnerability; monitor for low-privileged processes spawning SYSTEM-level children or acquiring SYSTEM tokens via Win32k syscalls (NtUserEnableMenuItem, NtUserSetClassLongPtr, NtUserCreateAcceleratorTable, NtUserConsoleControl from win32u.dll). ↗
- →The exploit abuses NtUserEnableMenuItem (win32u.dll) to trigger the vulnerability; alert on low-integrity processes resolving and calling NtUserEnableMenuItem, NtUserSetClassLongPtr, NtUserCreateAcceleratorTable, and NtUserConsoleControl from win32u.dll in rapid succession. ↗
- →The exploit uses VirtualAlloc with PAGE_EXECUTE_READWRITE to execute a GS-register-reading shellcode stub; detect VirtualAlloc(PAGE_EXECUTE_READWRITE) followed by execution from that region in user-mode processes as a behavioral indicator. ↗
- →The exploit reads the USER32.DLL handle table at a hardcoded offset (0xbd688) to resolve kernel object addresses; this offset is specific to Windows Server 2016 builds targeted by this PoC and can be used as a signature in memory forensics. ↗
- →The exploit uses EPROCESS offsets specific to the targeted Windows build (UniqueProcessId +0x440, ActiveProcessLinks +0x448, Token +0x4b8); these constants in memory or in a loaded module can be used for YARA/memory scanning. ↗
- →The attack vector is local; post-exploitation tool Mimikatz is cited as a follow-on payload after SYSTEM privileges are obtained via this EoP. Monitor for Mimikatz execution following any suspicious privilege escalation event. ↗
- ·The exploit PoC targets Windows Server 2016 specifically; the hardcoded USER32.DLL offset (0xbd688) and EPROCESS offsets are build-specific and may not apply to other Windows versions without modification. ↗
- ·The attack vector for CVE-2023-29336 is local, meaning an attacker must already have local access (initial foothold) before exploiting this EoP; it is not remotely exploitable on its own. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv57.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
Win32k Elevation of Privilege Vulnerability
cvelistv5·2023-05-09·CVSS 7.8
CVE-2023-29336 [HIGH] CWE-416 Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
VulnCheck
Microsoft Win32K Privilege Escalation Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-29336 [HIGH] CWE-416 Microsoft Win32K Privilege Escalation Vulnerability
Microsoft Win32K Privilege Escalation Vulnerability
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-May; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/it-threat-evolution-q2-2023-non-mobile-statistics/110413/; https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf
Exploit PoC: https://vulncheck.com/xdb/3661f8004753; https://vulncheck.com/xdb/79154f41d6e7
Remediation Due: 2023-05-30
CISA
Microsoft Win32K Privilege Escalation Vulnerability
cisa·2023-05-09·CVSS 7.8
CVE-2023-29336 [HIGH] CWE-416 Microsoft Win32K Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32K Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29336; https://nvd.nist.gov/vuln/detail/CVE-2023-29336
Remediation Due Date: 2023-05-30
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2023-05-09·CVSS 7.8
CVE-2023-29336 [HIGH] CWE-416 Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Windows Win32K: Windows Win32K
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5026382
Reference: https://support.microsoft.com/help/5026382
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5026363
Reference: https://support.microsoft.com/help/5026363
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=K
No detection rules found.
Tenable
Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs
blogs_tenable·2024-06-11
Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Microsoft’s January 2024 Patch Tuesday Addresses 48 CVEs (CVE-2024-20674)
blogs_tenable·2024-01-09·CVSS 8.8
[HIGH] Microsoft’s January 2024 Patch Tuesday Addresses 48 CVEs (CVE-2024-20674)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2023-29357, CVE-2023-24955: Exploit Chain Released for Microsoft SharePoint Server Vulnerabilities
blogs_tenable·2023-09-27·CVSS 7.2
[HIGH] CVE-2023-29357, CVE-2023-24955: Exploit Chain Released for Microsoft SharePoint Server Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Talos
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
blogs_talos·2023-05-11
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
## Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
Welcome to this week’s edition of the Threat Source newsletter.
I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.
Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.
It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.
The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomw
Talos
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
blogs_talos·2023-05-11
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
Welcome to this week’s edition of the Threat Source newsletter.
I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.
Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.
It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.
The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.
But recently, I’ve noticed that ransomware is still
Krebs
Microsoft Patch Tuesday, May 2023 Edition
blogs_krebs·2023-05-10·CVSS 6.7
CVE-2023-29336 [MEDIUM] Microsoft Patch Tuesday, May 2023 Edition
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
First up in May’s zero-day flaws is CVE-2023-29336 , which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out , the attack vector for this bug is local.
“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen , director of cyber threat research at Immersive Labs . “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow th
Krebs
Microsoft Patch Tuesday, May 2023 Edition
blogs_krebs·2023-05-10·CVSS 6.7
CVE-2023-29336 [MEDIUM] Microsoft Patch Tuesday, May 2023 Edition
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.
“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the at
Talos
Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
blogs_talos·2023-05-09·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
## Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.
However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.
In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”
One of the zero-day vulnerabilities included this month is CVE-2023-29336 , an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.
Qualys
Microsoft and Adobe Patch Tuesday, May 2023 Security Update Review
blogs_qualys·2023-05-09
Microsoft and Adobe Patch Tuesday, May 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for May 2023
Adobe Patches for May 2023
Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
This Month in Vulnerabilities & Patches
Microsoft has addressed 49 vulnerabilities in its May Patch Tuesday edition. The security advisories cover various vulnerabilities in different produc
Talos
Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
blogs_talos·2023-05-09·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.
However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.
In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”
One of the zero-day vulnerabilities included this month is CVE-2023-29336, an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.
The most serious vulnerability disclosed Tuesday is CVE-2023-24941, a remote code execution vulnerability
Qualys
Microsoft Patch Tuesday, May 2023 Security Update Review | Qualys
blogs_qualys·2023-05-09
Microsoft Patch Tuesday, May 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for May 2023
- Adobe Patches for May 2023
- Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
- This Month in Vulnerabilities & Patches
Microsoft has addressed 49 vulnerabilities in its May Patch Tuesday edition. The security advisories cover various vulnerabilities in d
Tenable
Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
blogs_tenable·2023-05-09·CVSS 7.8
[HIGH] Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Crowdstrike
May 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2023 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2023-05-09
Published
2023-05-09
Added to CISA KEV
Exploited in the wild