CVE-2024-37985 Overview
CVE-2024-37985 is a Windows Kernel information disclosure vulnerability affecting Microsoft Windows 11 on ARM64 architectures. The flaw is a variant of the FetchBench side-channel attack class [CWE-1037], allowing a local attacker with low privileges to read sensitive heap data from another process. Microsoft published the advisory on September 17, 2024.
The vulnerability requires local access and high attack complexity. Exploitation does not require user interaction, but the scope is changed because data from another security context can be disclosed. No public exploit code or in-the-wild exploitation has been reported.
Critical Impact
A local authenticated attacker can leak confidential heap memory contents from privileged processes on ARM64-based Windows 11 systems, potentially exposing cryptographic keys, tokens, or other secrets.
Affected Products
- Microsoft Windows 11 version 22H2 (ARM64)
- Microsoft Windows 11 version 23H2 (ARM64)
- Systems based on ARM64 processors implementing affected prefetcher behavior
Discovery Timeline
- 2024-09-17 - CVE-2024-37985 published to NVD with Microsoft advisory
- 2024-09-29 - Last updated in NVD database
Technical Details for CVE-2024-37985
Vulnerability Analysis
The vulnerability resides in the Windows Kernel running on ARM64 hardware. It belongs to the [CWE-1037] class, which covers processor optimization removal or modification of security-critical code. Specifically, the flaw exposes information through a microarchitectural side-channel related to data memory-dependent prefetchers (DMP) on certain ARM64 CPUs, known publicly as the FetchBench technique.
An attacker running unprivileged code on the same physical core can observe prefetcher behavior. The prefetcher treats certain in-memory values as pointers and speculatively fetches the data they reference. Measuring cache state after these speculative fetches reveals whether a value in another process resembles a valid pointer, leaking heap contents byte by byte.
Because the disclosure occurs across processes, the CVSS scope is changed. Confidentiality impact is high, while integrity and availability are unaffected. The attack complexity is high because it requires precise cache timing measurements and co-location on the same CPU core.
Root Cause
The root cause is hardware-level speculative prefetching that operates without enforcing software security boundaries. The kernel does not sufficiently mitigate this microarchitectural behavior on ARM64 platforms, allowing data values in one address space to influence cache state observable by another process.
Attack Vector
Exploitation requires local code execution as a low-privileged user on an affected ARM64 Windows 11 system. The attacker runs a measurement primitive that allocates memory adjacent to or co-resident with the victim's data, primes the cache, and times subsequent accesses to infer secret values from the victim process.
No verified proof-of-concept code is publicly available for this CVE. Refer to the Microsoft Security Advisory for CVE-2024-37985 for vendor-supplied technical detail.
Detection Methods for CVE-2024-37985
Indicators of Compromise
- No file-based or network indicators are associated with this side-channel vulnerability, as exploitation leaves no persistent artifacts.
- Unexpected long-running unprivileged processes performing tight memory access loops on ARM64 hosts may warrant inspection.
- Anomalous use of high-resolution timing APIs or performance counters from non-administrative processes.
Detection Strategies
- Inventory ARM64-based Windows 11 22H2 and 23H2 endpoints and verify patch level against Microsoft's September 2024 update.
- Monitor for unsigned or unknown binaries executing on ARM64 systems that access performance counters or cache-flush instructions.
- Correlate process telemetry with cross-process memory probing behavior, such as repeated speculative access patterns.
Monitoring Recommendations
- Enable kernel-mode auditing for processes interacting with performance monitoring units on ARM64 devices.
- Alert on installation or execution of microarchitectural benchmarking tools in production environments.
- Track patch compliance for ARM64 Windows 11 fleets via centralized vulnerability management.
How to Mitigate CVE-2024-37985
Immediate Actions Required
- Apply the Microsoft September 2024 security update on all Windows 11 22H2 and 23H2 ARM64 systems.
- Identify all ARM64-based endpoints in the environment and prioritize them for patch deployment.
- Restrict execution of untrusted local code on shared ARM64 hosts.
Patch Information
Microsoft released the official patch through the Windows Update channel. Consult the Microsoft CVE-2024-37985 Advisory for the specific KB articles applicable to each Windows 11 ARM64 build.
Workarounds
- No vendor-supplied workaround is documented; applying the security update is the recommended remediation.
- Limit local logon rights on ARM64 systems to trusted users only, reducing the pool of potential attackers.
- Enforce application allowlisting to block execution of arbitrary unprivileged binaries that could carry the side-channel primitive.
# Verify installed updates on Windows 11 ARM64
wmic qfe list brief /format:table
# Check OS version and architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
