CVE-2023-35386 Overview
CVE-2023-35386 is an elevation of privilege vulnerability in the Microsoft Windows Kernel. The flaw stems from an integer overflow that leads to an out-of-bounds read condition [CWE-125] in kernel memory. A local authenticated attacker can exploit this issue to gain SYSTEM-level privileges on affected hosts. Microsoft addressed the vulnerability in its August 2023 Patch Tuesday release. The issue affects a broad range of Windows client and server editions, including Windows 10, Windows 11, and Windows Server 2012 R2 through 2022.
Critical Impact
Successful exploitation grants attackers SYSTEM privileges on the local host, enabling full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2)
- Microsoft Windows Server 2012 R2, 2016, 2019, and 2022
Discovery Timeline
- 2023-08-08 - CVE-2023-35386 published to NVD and addressed in Microsoft's August 2023 security update
- 2025-01-01 - Last updated in NVD database
Technical Details for CVE-2023-35386
Vulnerability Analysis
The vulnerability resides within the Windows Kernel and is rooted in an integer overflow condition that triggers an out-of-bounds read [CWE-125]. When the kernel processes attacker-controlled size or length values during a privileged operation, the arithmetic wraps around its expected bounds. The resulting miscalculation drives a subsequent memory access past the intended buffer boundary. Attackers leverage this primitive to disclose kernel memory contents or to corrupt adjacent structures that influence access control decisions. The end result is elevation from a standard authenticated context to SYSTEM.
Root Cause
The root cause is missing validation of integer arithmetic inside a kernel routine that calculates a buffer length or offset. When the computation overflows, the kernel reads beyond the allocated region. This exposes uninitialized or sensitive kernel memory that an attacker can chain into a full privilege escalation primitive. The Packet Storm advisory characterizes the issue as a "Kernel Integer Overflow / Out-Of-Bounds Read."
Attack Vector
Exploitation requires local access and low-privileged authentication. No user interaction is needed. An attacker running unprivileged code on the target system invokes the vulnerable kernel path through a crafted system call or device I/O control request. The malformed input forces the integer overflow, after which the out-of-bounds read is used to leak kernel addresses or pivot into a write primitive. This vector is commonly combined with a separate initial-access vulnerability, such as a phishing payload or browser exploit, to escape sandboxes and obtain SYSTEM. Refer to the Microsoft CVE-2023-35386 Advisory and the Packet Storm Security Exploit writeup for additional technical context.
Detection Methods for CVE-2023-35386
Indicators of Compromise
- Unexpected processes spawning child processes under the NT AUTHORITY\SYSTEM security context from a non-elevated parent.
- Crash dumps or Windows Error Reporting events referencing kernel access violations in recently exercised driver or kernel routines.
- Unsigned or recently dropped binaries issuing NtDeviceIoControlFile or syscall sequences inconsistent with their normal behavior.
Detection Strategies
- Hunt for token manipulation patterns where a process token's integrity level or SID changes mid-execution.
- Correlate local logon events (Event ID 4624 type 2/3) with subsequent privileged process creations (Event ID 4688) from the same user session.
- Monitor kernel-mode crash events (BugCheck 0x7E, 0x3B, 0x50) on patched and unpatched hosts to surface exploit reliability failures.
Monitoring Recommendations
- Centralize Windows Security, System, and Sysmon logs in a SIEM and alert on anomalous SYSTEM-level process lineage.
- Track patch state across Windows 10, Windows 11, and Windows Server endpoints to identify hosts still missing the August 2023 cumulative update.
- Baseline kernel driver loads and alert on unsigned drivers loaded after a user logon, a common precursor to LPE chains.
How to Mitigate CVE-2023-35386
Immediate Actions Required
- Apply the August 2023 Microsoft security update to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching of multi-user systems, terminal servers, and developer workstations where local low-privileged accounts exist.
- Audit local account inventories and remove unnecessary interactive logon rights for non-administrative users.
Patch Information
Microsoft released fixes through the August 2023 Patch Tuesday cumulative updates. Administrators should consult the Microsoft CVE-2023-35386 Advisory for the specific KB article and build numbers that correspond to each affected Windows release. Servicing channels including Windows Update, WSUS, and Microsoft Update Catalog deliver the patch.
Workarounds
- No official workaround is published by Microsoft; patching is the supported remediation path.
- Restrict local logon and remote interactive access to trusted administrators until updates are deployed.
- Enforce application allowlisting (Windows Defender Application Control or AppLocker) to limit execution of untrusted binaries that could carry an exploit payload.
# Verify the August 2023 cumulative update is installed (example)
wmic qfe list brief /format:table
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
