Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-24483

CVE-2022-24483: Windows 10 Kernel Information Disclosure

CVE-2022-24483 is an information disclosure vulnerability in the Windows 10 Kernel that could allow attackers to access sensitive data. This article covers technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2022-24483 Overview

CVE-2022-24483 is a Windows Kernel information disclosure vulnerability affecting multiple supported versions of Microsoft Windows and Windows Server. An authenticated local attacker can leverage the flaw to read kernel memory contents that should remain isolated from user-mode processes. Microsoft addressed the issue in the April 2022 security update cycle.

The vulnerability carries a CVSS 3.1 base score of 5.5 with a local attack vector and low privilege requirement. While the flaw does not directly enable code execution, leaked kernel data such as memory addresses can defeat Kernel Address Space Layout Randomization (KASLR) and assist in chaining further privilege escalation exploits.

Critical Impact

A local, low-privileged user can disclose sensitive Windows kernel memory contents, potentially exposing data that enables subsequent privilege escalation across desktop and server editions.

Affected Products

  • Microsoft Windows 10 (multiple builds including 1607, 1809, 1909, 20H2, 21H1, 21H2)
  • Microsoft Windows 11 (x64 and ARM64), Windows 8.1, and Windows RT 8.1
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, and 2022

Discovery Timeline

  • 2022-04-15 - CVE-2022-24483 published to the National Vulnerability Database
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-24483

Vulnerability Analysis

CVE-2022-24483 is an information disclosure vulnerability in the Windows Kernel [NVD-CWE-noinfo]. The flaw allows an authenticated local user to obtain portions of kernel memory that the operating system should restrict to ring 0. Microsoft has not published low-level technical details for this CVE, consistent with its standard handling of kernel disclosure issues.

The impact is bounded to confidentiality. Integrity and availability are not affected per the CVSS vector, meaning the vulnerability cannot be used directly to modify kernel state or crash the system. However, kernel memory leaks frequently serve as primitives in multi-stage exploit chains targeting local privilege escalation.

The EPSS probability of approximately 5.89% places this issue in the 90th percentile of vulnerabilities by predicted exploitation likelihood, indicating elevated attacker interest relative to the broader CVE population. As of this writing, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

Microsoft classifies the issue as a Windows Kernel information disclosure flaw. The vendor advisory does not publicly document the specific kernel component or function involved. Such issues typically stem from uninitialized memory being returned to user mode, improper bounds checks on kernel-to-user copies, or insufficient sanitization of kernel pointers exposed through system call return values.

Attack Vector

Exploitation requires local access and a valid set of low-privilege credentials on the target host. No user interaction is needed. An attacker who has already established a foothold, for example through phishing or a separate initial-access vulnerability, can invoke the affected kernel interface to harvest memory contents. The leaked data can then be used to bypass KASLR and stage further attacks.

No public proof-of-concept exploit code has been published for CVE-2022-24483, and no entries exist in Exploit-DB. Refer to the Microsoft Security Update Guide for vendor guidance.

Detection Methods for CVE-2022-24483

Indicators of Compromise

  • No vendor-published file hashes, signatures, or network indicators are associated with CVE-2022-24483.
  • Suspicious local activity such as unprivileged processes repeatedly invoking undocumented or low-level system calls warrants investigation.
  • Presence of known local privilege escalation toolkits on endpoints may indicate staging for chained exploitation.

Detection Strategies

  • Monitor endpoints for unsigned or unknown binaries performing kernel-mode interaction attempts from standard user contexts.
  • Hunt for sequences where an information disclosure primitive is followed by attempts to load drivers or modify token privileges.
  • Correlate process creation telemetry with subsequent privilege escalation behavior on the same host within short time windows.

Monitoring Recommendations

  • Ensure endpoints report patch compliance status for the April 2022 Microsoft security update covering CVE-2022-24483.
  • Collect and retain kernel-relevant Sysmon and Windows Security event logs, including process creation and driver load events.
  • Alert on anomalous use of debugging or performance APIs by non-administrative accounts on production systems.

How to Mitigate CVE-2022-24483

Immediate Actions Required

  • Apply the April 2022 Microsoft cumulative security update for all affected Windows desktop and server editions.
  • Verify patch deployment across Windows 10, Windows 11, Windows 8.1, Windows RT 8.1, and Windows Server 2012 through 2022 inventories.
  • Restrict local logon rights and remove unnecessary interactive accounts from servers and high-value workstations.
  • Audit endpoints for the presence of attacker tooling that commonly chains kernel information leaks with privilege escalation.

Patch Information

Microsoft released the fix as part of its April 2022 Patch Tuesday cycle. Refer to the Microsoft Security Update Guide for CVE-2022-24483 for the authoritative list of KB articles per affected product. Administrators should validate that the corresponding KB is installed via Get-HotFix or WSUS reporting.

Workarounds

  • Microsoft has not published an official workaround for CVE-2022-24483; patching remains the supported remediation path.
  • Enforce least-privilege access policies to limit the number of accounts able to log on locally and trigger the affected code path.
  • Disable or restrict interactive logon on servers that do not require it, including Remote Desktop where feasible.
bash
# Verify the April 2022 cumulative update is installed (PowerShell)
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date '2022-04-12') } | Sort-Object InstalledOn -Descending

# Query patch state remotely across managed endpoints
Invoke-Command -ComputerName (Get-Content .\hosts.txt) -ScriptBlock {
    Get-HotFix | Select-Object PSComputerName, HotFixID, InstalledOn
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne