CVE-2024-30088 Overview
CVE-2024-30088 is an elevation of privilege vulnerability in the Microsoft Windows kernel. The flaw stems from a Time-of-Check Time-of-Use (TOCTOU) race condition [CWE-367] in kernel code paths that validate user-supplied data. A local authenticated attacker who wins the race can elevate privileges from a standard user context to SYSTEM. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The issue affects all supported builds of Windows 10, Windows 11, and Windows Server 2016 through Windows Server 2022 23H2.
Critical Impact
Local attackers who win the kernel race condition gain SYSTEM-level code execution, enabling full host compromise, credential theft, and persistence on affected Windows endpoints and servers.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-06-11 - Microsoft publishes advisory and security patch as part of Patch Tuesday
- 2024-06-11 - CVE-2024-30088 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2024-30088
Vulnerability Analysis
The vulnerability is a TOCTOU race condition in the Windows kernel. Kernel routines that copy or validate user-mode buffers between the check and the use phases can be raced by a second thread that mutates the underlying data after validation completes. When the kernel subsequently consumes the now-modified data, attacker-controlled values reach privileged code paths.
Successful exploitation grants full confidentiality, integrity, and availability impact at the kernel boundary. The attack requires local access and low privileges but no user interaction, making it a reliable second-stage primitive after initial access. CISA KEV inclusion indicates threat actors are using the flaw to escalate privileges following commodity or targeted intrusions.
Root Cause
The defect is a [CWE-367] Time-of-Check Time-of-Use race. The kernel reads and validates a user-mode structure, then re-reads the same memory during processing. Because the structure resides in user-writable memory, a concurrent thread can overwrite the validated fields between the two reads, defeating bounds and type checks performed during validation.
Attack Vector
Exploitation requires local code execution as a standard user. The attacker launches the racing thread against the vulnerable syscall path and repeatedly modifies the shared buffer while issuing the kernel request. Once the race is won, the kernel processes attacker-controlled data with elevated trust, leading to arbitrary write primitives and ultimately SYSTEM token acquisition. No phishing, network access, or user interaction is required. Refer to the Microsoft Security Update Guide for vendor technical details.
Detection Methods for CVE-2024-30088
Indicators of Compromise
- Unexpected processes spawned with NT AUTHORITY\SYSTEM token from a parent running under a standard user context.
- Loading of unsigned or unusual drivers shortly after suspicious local process activity.
- New service or scheduled task creation immediately following a standard-user shell session.
- Crash dumps or WerFault.exe events referencing kernel race conditions or invalid kernel reads.
Detection Strategies
- Hunt for token impersonation and token-stealing patterns where a child process inherits a SYSTEM token from a non-elevated parent.
- Correlate frequent calls to high-risk NtQuery* or Nt*Information syscalls from low-integrity processes with subsequent privilege changes.
- Alert on user-mode processes that achieve kernel object handles or open \Device\PhysicalMemory-class resources.
Monitoring Recommendations
- Ensure Windows patch level reflects the June 2024 security update or later across all endpoints and servers.
- Forward Sysmon Event IDs 1, 10, and 25 alongside Windows Security 4688/4672 to centralized analytics for privilege-escalation hunts.
- Monitor CISA KEV updates and threat intelligence feeds for active campaigns leveraging CVE-2024-30088.
How to Mitigate CVE-2024-30088
Immediate Actions Required
- Apply the June 2024 Microsoft security update for all affected Windows 10, Windows 11, and Windows Server builds without delay.
- Prioritize patching of multi-user systems, jump hosts, terminal servers, and developer workstations where local code execution is most likely.
- Audit endpoints for unpatched builds using configuration management tooling and remediate any drift.
- Restrict the ability of standard users to run untrusted binaries through application control policies such as Windows Defender Application Control or AppLocker.
Patch Information
Microsoft released cumulative updates on June 11, 2024 addressing CVE-2024-30088. Update KBs vary by Windows version and are listed in the Microsoft Security Update Guide. CISA requires federal agencies to remediate per the CISA KEV catalog.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation.
- Reduce blast radius by removing local administrative rights from standard user accounts.
- Enforce least privilege and segment high-value hosts to limit lateral movement after a successful elevation.
# Verify patch installation on Windows hosts via PowerShell
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date '2024-06-11') } |
Sort-Object InstalledOn -Descending |
Format-Table HotFixID, Description, InstalledOn
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
