CVE-2023-36802 Overview
CVE-2023-36802 is a critical elevation of privilege vulnerability affecting the Microsoft Streaming Service Proxy component in Windows operating systems. This use-after-free (CWE-416) vulnerability allows a locally authenticated attacker to escalate privileges from a standard user account to SYSTEM-level access. The vulnerability exists in the kernel-mode driver responsible for handling streaming service proxy requests, where improper memory management can lead to exploitation.
Critical Impact
This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize immediate patching as attackers can leverage this flaw to gain complete system control after initial access.
Affected Products
- Microsoft Windows 10 1809 (x86, x64, ARM64)
- Microsoft Windows 10 21H2
- Microsoft Windows 10 22H2
- Microsoft Windows 11 21H2
- Microsoft Windows 11 22H2
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- 2023-09-12 - CVE-2023-36802 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2023-36802
Vulnerability Analysis
This elevation of privilege vulnerability resides in the Microsoft Streaming Service Proxy, a kernel-mode component responsible for handling multimedia streaming operations on Windows systems. The vulnerability stems from a use-after-free (UAF) condition where the driver fails to properly manage object lifetimes during stream processing operations.
When a specially crafted request is processed by the vulnerable driver, memory that has been freed may be subsequently accessed, potentially allowing an attacker to control execution flow within the kernel context. This type of vulnerability is particularly dangerous because kernel-mode exploitation bypasses user-mode security boundaries and can lead to complete system compromise.
The local attack vector requires an attacker to already have code execution capability on the target system, but the low attack complexity and no user interaction requirements make this an attractive target for post-exploitation scenarios in attack chains.
Root Cause
The root cause is a use-after-free (CWE-416) memory corruption vulnerability in the Microsoft Streaming Service Proxy driver. The driver improperly handles object references during stream proxy operations, failing to correctly track and invalidate pointers to freed memory objects. When a freed object is subsequently dereferenced during normal driver operations, it creates an exploitable condition.
Attack Vector
The attack vector is local, requiring the adversary to have already achieved code execution on the target system through another means (such as phishing, malware installation, or exploitation of a different vulnerability). Once local access is obtained, the attacker can:
- Trigger the vulnerable code path in the Microsoft Streaming Service Proxy driver
- Manipulate the heap to place controlled data in the freed memory location
- Cause the driver to access the freed memory, redirecting execution
- Achieve arbitrary code execution in kernel context with SYSTEM privileges
This vulnerability has been confirmed as actively exploited and is listed in CISA's Known Exploited Vulnerabilities catalog, indicating it has been weaponized by threat actors in real-world attacks.
Detection Methods for CVE-2023-36802
Indicators of Compromise
- Unusual access patterns to the Microsoft Streaming Service Proxy driver (mskssrv.sys) from non-standard processes
- Suspicious privilege escalation events where standard user processes spawn SYSTEM-level child processes
- Memory access violations or crashes in kernel streaming components prior to successful exploitation
- Unexpected modifications to critical system files or registry keys following suspicious driver interactions
Detection Strategies
- Monitor for abnormal syscall patterns targeting kernel streaming service operations from low-privilege processes
- Implement endpoint detection rules for use-after-free exploitation patterns and heap spray techniques
- Enable Windows Kernel Audit logging to capture driver loading and suspicious kernel-mode activity
- Deploy behavioral analysis to detect rapid privilege transitions from standard user to SYSTEM context
Monitoring Recommendations
- Enable Windows Security Event Log monitoring for Event IDs 4688 (Process Creation) and 4624 (Logon Events) to track privilege escalation chains
- Configure SentinelOne Singularity platform to detect kernel-mode exploitation attempts and anomalous driver behavior
- Monitor for crash dumps related to mskssrv.sys that may indicate failed exploitation attempts
- Implement real-time alerting for SYSTEM-level process spawning from unexpected parent processes
How to Mitigate CVE-2023-36802
Immediate Actions Required
- Apply the Microsoft September 2023 security update immediately as this vulnerability is actively exploited
- Prioritize patching of internet-facing and high-value systems first, followed by all remaining affected endpoints
- Verify patch deployment through vulnerability scanning and Windows Update history review
- Review system logs for evidence of exploitation prior to patching, particularly privilege escalation events
Patch Information
Microsoft released security updates addressing CVE-2023-36802 as part of the September 2023 Patch Tuesday release cycle. Organizations should apply the appropriate cumulative update for their Windows version through Windows Update, WSUS, or manual installation from the Microsoft Security Update Guide. Given the active exploitation status and CISA KEV listing, CISA has mandated federal agencies to remediate this vulnerability, and all organizations should treat patching as urgent.
Workarounds
- No official workarounds are available for this vulnerability - patching is the only complete mitigation
- Implement defense-in-depth strategies including principle of least privilege to limit the impact of potential exploitation
- Ensure endpoint protection solutions like SentinelOne Singularity are deployed and configured for kernel-mode exploit detection
- Consider application whitelisting to prevent unauthorized code execution that could serve as the initial access vector for this local privilege escalation
# Verify patch installation status
wmic qfe list brief /format:table | findstr /i "KB"
# Check specific Windows Update history
Get-HotFix | Where-Object {$_.InstalledOn -gt "2023-09-01"} | Format-Table -AutoSize
# Verify Microsoft Streaming Service Proxy driver version
Get-Item C:\Windows\System32\drivers\mskssrv.sys | Select-Object VersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
