Skip to content

Latest commit

 

History

History

WinRegLowSeverityBugs

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Reports
Reports
 
 
README.md
README.md
 
 

README.md

Microsoft Windows Registry Low/Unclear Severity Bugs

This repository contains the descriptions and proof-of-concept exploits of 20 issues with low or unclear security impact found in the Windows Registry. They were reported to Microsoft between November 2023 and January 2024. Six of them were fixed by the vendor in the March 2024 Patch Tuesday, while the other fourteen were closed as WontFix/vNext. The bugs were identified during my registry research in 2022-2024, alongside the 39 vulnerabilities filed in the Project Zero bug tracker with the 90-day deadline.

For more information about the research, please see the blog post series starting with The Windows Registry Adventure #1: Introduction and research results, as well as the Exploring the Windows Registry as a powerful LPE attack surface presentation from BlueHat Redmond 2023. At the time of this writing, further talks about the registry are planned this year at OffensiveCon, CONFidence and REcon.

The issues are summarized in the table below:

ID Title Status CVE
1 Windows Kernel out-of-bounds read of key node security in CmpValidateHiveSecurityDescriptors when loading corrupted hives Fixed in March 2024 CVE-2024-26174
2 Windows Kernel out-of-bounds read when validating symbolic links in CmpCheckValueList Fixed in March 2024 CVE-2024-26176
3 Windows Kernel pool-based buffer overflow when parsing deeply nested key paths in CmpComputeComponentHashes WontFix/vNext -
4 Windows Kernel allows the creation of stable subkeys under volatile keys via registry transactions Fixed in March 2024 CVE-2024-26173
5 Windows Kernel lightweight transaction reference leak in CmpTransReferenceTransaction WontFix/vNext -
6 Windows Kernel pool-based out-of-bounds read in CmpRmReDoPhase when restoring registry transaction logs WontFix/vNext -
7 Windows Kernel NULL pointer dereference in CmpLightWeightPrepareSetSecDescUoW WontFix/vNext -
8 Windows Kernel infinite loop in CmpDoReOpenTransKey when recovering a corrupted transaction log vNext (fixed in Insider Preview) -
9 Windows Kernel NULL pointer dereference in NtDeleteValueKey WontFix -
10 Windows Kernel user-triggerable crash in CmpKeySecurityIncrementReferenceCount via unreferenced security descriptors WontFix/vNext -
11 Windows Kernel memory leak in VrpPostOpenOrCreate when propagating error conditions WontFix/vNext -
12 Windows Kernel unsafe behavior in CmpUndoDeleteKeyForTrans when transactionally re-creating registry keys Fixed in March 2024 CVE-2024-26177
13 Windows Kernel security descriptor linked list confusion in CmpLightWeightPrepareSetSecDescUoW Fixed in March 2024 CVE-2024-26178
14 Windows overly permissive access rights set on the HKCU\Software\Microsoft\Input\TypingInsights registry key WontFix/vNext -
15 Windows Kernel registry quota exhaustion may lead to permanent corruption of the SAM database Fixed in March 2024 CVE-2024-26181
16 Windows Kernel integer overflow of big data chunk count when handling very long registry values WontFix/vNext -
17 Windows Kernel fails to correctly unlink KCBs from discard replace context in CmpCleanupDiscardReplacePost WontFix/vNext -
18 Windows Kernel returns success in an error path of HvCheckBin during registry hive sanitization WontFix/vNext -
19 Windows Kernel VRegDriver registry callback doesn't handle key renaming WontFix/vNext -
20 Windows Kernel enforcement of registry app hive security is inconsistent with documentation WontFix/vNext -