CVE-2024-38146 Overview
CVE-2024-38146 is a denial of service vulnerability in the Windows Layer-2 Bridge Network Driver. The flaw affects a broad range of Windows desktop and server operating systems, allowing remote, unauthenticated attackers to disrupt availability over the network. The underlying weakness is a NULL pointer dereference [CWE-476] in the bridge driver code path that processes Layer-2 frames.
Microsoft addressed the issue in its August 2024 security update cycle. The vulnerability carries a CVSS 3.1 base score of 7.5 with availability impact only. No confidentiality or integrity impact is reported, and Microsoft has not observed active exploitation.
Critical Impact
Remote, unauthenticated attackers can trigger a denial of service on affected Windows hosts by sending crafted Layer-2 traffic, with an EPSS percentile of 95.159 indicating elevated exploit likelihood relative to other CVEs.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2, 24H2)
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-08-13 - Microsoft releases security update for CVE-2024-38146
- 2024-08-13 - CVE-2024-38146 published to NVD
- 2024-08-16 - Last updated in NVD database
Technical Details for CVE-2024-38146
Vulnerability Analysis
The Windows Layer-2 Bridge Network Driver provides bridging between network interfaces at the data-link layer. CVE-2024-38146 is classified as a NULL pointer dereference [CWE-476] in this driver. When the bridge processes a specific class of malformed or unexpected Layer-2 frames, code paths in the driver dereference a pointer that has not been initialized or has been freed.
Dereferencing a NULL pointer inside a kernel-mode driver triggers a bug check, halting the operating system with a stop error. The result is a system crash that interrupts all services running on the affected host. Recovery requires a reboot, and repeated attacks can sustain unavailability.
Microsoft scopes the impact to availability only. The attacker does not gain code execution, escalate privileges, or read memory contents. The CWE-476 classification and the availability-only impact profile are consistent with a driver-level crash rather than a memory corruption primitive that can be weaponized for code execution.
Root Cause
The root cause is missing validation of a pointer or object reference before use within the bridge driver. When the driver encounters traffic that does not satisfy the assumed preconditions, control reaches a dereference of a NULL pointer in kernel context. This produces an unhandled kernel exception and a bug check.
Attack Vector
The vulnerability is network-accessible and requires no authentication or user interaction. An attacker on an adjacent or routable network sends crafted Layer-2 frames to a host that has the Layer-2 Bridge feature enabled. Hosts that bridge interfaces, including systems using Windows network bridging or Hyper-V virtual switches in bridge configurations, are the primary targets. No verified public proof-of-concept code is available for this CVE.
Detection Methods for CVE-2024-38146
Indicators of Compromise
- Unexpected BugCheck events in the Windows System event log on hosts with active bridge interfaces, particularly stop codes referencing network or NDIS components.
- Repeated unscheduled reboots correlated with bursts of unusual Layer-2 frames captured on bridged interfaces.
- Crash dump files (MEMORY.DMP, Minidump\*.dmp) implicating the bridge driver module in the faulting stack.
Detection Strategies
- Monitor Windows Event Log channel System for Event ID 1001 (BugCheck) and Event ID 41 (Kernel-Power) on servers and endpoints with bridged adapters.
- Use network monitoring to identify anomalous broadcast or unicast Layer-2 traffic patterns targeting hosts known to operate as bridges.
- Correlate host crash events with switch port traffic spikes to identify the source of malicious frames.
Monitoring Recommendations
- Inventory all Windows hosts with the Layer-2 Bridge feature, Hyper-V external virtual switches, or Network Bridge configurations enabled.
- Track patch deployment status for the August 2024 security updates across affected Windows builds.
- Alert on repeated kernel crashes from the same host within short time windows, which can indicate sustained exploitation attempts.
How to Mitigate CVE-2024-38146
Immediate Actions Required
- Apply the August 2024 Microsoft security updates referenced in the Microsoft Vulnerability Advisory to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching for hosts that actively use Layer-2 bridging, Hyper-V external switches, or network bridge configurations.
- Restrict Layer-2 access to bridge hosts using switch port ACLs, private VLANs, or network segmentation until patches are deployed.
Patch Information
Microsoft published the fix in its August 13, 2024 Patch Tuesday cumulative updates. Refer to the Microsoft Vulnerability Advisory for the specific KB article numbers that apply to each Windows build. Cumulative updates supersede prior monthly rollups.
Workarounds
- Disable the Windows Network Bridge on hosts that do not require Layer-2 bridging until updates are installed.
- Remove or reconfigure Hyper-V external virtual switches that are not strictly necessary, or move workloads to internal switch types.
- Restrict untrusted devices from sharing broadcast domains with Windows bridge hosts using VLAN isolation.
# Configuration example: list and remove a Windows Network Bridge via PowerShell
Get-NetAdapter | Where-Object { $_.InterfaceDescription -like '*Bridge*' }
Remove-NetLbfoTeam -Name 'Network Bridge' -Confirm:$false
# List Hyper-V external switches that may use bridging
Get-VMSwitch | Where-Object { $_.SwitchType -eq 'External' }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
