CVE-2023-36802: Windows 10 1809 Privilege Escalation Flaw

CVE-2023-36802 Overview

CVE-2023-36802 is an elevation of privilege vulnerability in the Microsoft Streaming Service Proxy (mskssrv.sys) kernel driver. The flaw is a use-after-free condition [CWE-416] that allows a local authenticated attacker to gain SYSTEM privileges on affected Windows hosts. Microsoft addressed the issue in its September 2023 Patch Tuesday release. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirmed in-the-wild exploitation. The EPSS score is 75.434% (98.917 percentile), indicating a high probability of continued exploitation activity.

Critical Impact

Local attackers with low-privileged code execution can escalate to SYSTEM, achieving full control over the host and bypassing endpoint hardening that relies on user-mode boundaries.

Affected Products

• Microsoft Windows 10 (1809, 21H2, 22H2) — x86, x64, ARM64
• Microsoft Windows 11 (21H2, 22H2)
• Microsoft Windows Server 2019 and Windows Server 2022

Discovery Timeline

• 2023-09-12 - CVE-2023-36802 published to NVD and Microsoft releases security patch
• 2025-10-28 - Last updated in NVD database

Technical Details for CVE-2023-36802

Vulnerability Analysis

The vulnerability exists in the Microsoft Kernel Streaming Service Proxy driver, mskssrv.sys, which brokers requests between user-mode clients and the kernel streaming subsystem. The component mishandles object lifetime during IOCTL processing, leading to a use-after-free condition in kernel memory. An attacker who already has the ability to execute code as a standard user can trigger the freed allocation and reclaim it with attacker-controlled data. Successful exploitation yields arbitrary kernel read/write primitives that translate to SYSTEM-level execution.

Root Cause

The root cause is improper object reference tracking inside the streaming proxy driver. When a kernel object is released, a dangling pointer remains accessible through a subsequent IOCTL handler. The driver dereferences this stale pointer without verifying its state, allowing the attacker to substitute a controlled structure in the freed memory region. This pattern matches the CWE-416 classification assigned by NVD.

Attack Vector

Exploitation requires local access and the ability to run arbitrary code on the target. The attack vector is therefore commonly chained with an initial access technique such as a phishing payload, a malicious document, or a compromised low-privileged service account. Once running on the host, the attacker opens a handle to the vulnerable device, issues the crafted IOCTL sequence, sprays the kernel pool to reclaim the freed object, and pivots to SYSTEM. Public reporting from CISA confirms that threat actors have used this technique in the wild.

No public proof-of-concept code is referenced in the NVD record. Technical analysis is available through the Microsoft Security Response Center and CISA KEV catalog entries linked below.

Detection Methods for CVE-2023-36802

Indicators of Compromise

• Unexpected processes opening handles to \\.\MSKSSRV or other kernel streaming device objects from non-media applications.
• Creation of SYSTEM-level processes whose parent is a standard user session or service account.
• Kernel pool corruption events and unexpected bug checks (BSOD) on hosts running unpatched builds.

Detection Strategies

• Hunt for low-privileged processes that subsequently spawn child processes running as NT AUTHORITY\SYSTEM within a short time window.
• Monitor loading of mskssrv.sys interactions originating from non-multimedia binaries such as command shells, scripting hosts, or unsigned executables.
• Correlate Windows Defender Exploit Guard and ETW kernel events with EDR telemetry to surface anomalous IOCTL traffic to the streaming proxy.

Monitoring Recommendations

• Enable command-line and process creation auditing (Event ID 4688) with parent process tracking across all Windows endpoints and servers.
• Forward kernel and Sysmon telemetry into a centralized data lake for retroactive hunting against the September 2023 patch baseline.
• Track patch compliance for KB updates released in the September 2023 cumulative rollups across Windows 10, Windows 11, and Windows Server 2019/2022.

How to Mitigate CVE-2023-36802

Immediate Actions Required

• Apply the September 2023 Microsoft cumulative security update to every affected Windows 10, Windows 11, and Windows Server build.
• Prioritize patching on multi-user systems such as Remote Desktop Session Hosts, VDI pools, and developer workstations where local code execution is more likely.
• Audit local administrator group membership and remove unnecessary standing privileges that could amplify exploitation impact.

Patch Information

Microsoft published the fix in the September 12, 2023 security update. Refer to the Microsoft Security Update Guide for CVE-2023-36802 for the specific KB articles per Windows build. The CISA Known Exploited Vulnerabilities entry is available in the CISA KEV catalog.

Workarounds

• No vendor-supplied workaround exists; installing the security update is the only supported remediation.
• Restrict interactive and remote logon rights to trusted users on systems that cannot be patched immediately.
• Apply application control policies (such as Windows Defender Application Control or AppLocker) to block execution of untrusted binaries that could deliver the exploit.