CVE-2024-45383 Overview
CVE-2024-45383 is a denial-of-service vulnerability in the HDAudBus_DMA interface of the Microsoft High Definition Audio Bus Driver version 10.0.19041.3636 (WinBuild.160101.0800). The driver mishandles I/O Request Packet (IRP) completion requests, allowing a local authenticated attacker to crash the audio subsystem. A specially crafted application can issue multiple IRP Complete requests against the interface, triggering the fault. Exploitation requires local access, low privileges, and some user interaction. The vulnerability is categorized under CWE-664 (Improper Control of a Resource Through its Lifetime).
Critical Impact
A local attacker running a malicious script or application can trigger a denial-of-service condition affecting the Windows audio bus driver, resulting in loss of audio subsystem availability on the targeted host.
Affected Products
- Microsoft High Definition Audio Bus Driver 10.0.19041.3636 (WinBuild.160101.0800)
- Windows hosts shipping the affected HDAudBus.sys build
- Systems exposing the HDAudBus_DMA interface to user-mode callers
Discovery Timeline
- 2024-09-12 - CVE-2024-45383 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-45383
Vulnerability Analysis
The flaw resides in the HDAudBus_DMA interface exposed by the Microsoft High Definition Audio Bus Driver. The driver fails to correctly track the lifecycle of IRP objects during DMA-related operations. When a user-mode caller issues multiple IRP Complete requests in quick succession, the driver mishandles the resource state, producing a fault condition that terminates the audio subsystem.
The vulnerability is classified as [CWE-664], reflecting improper control of a resource through its lifetime. The impact is limited to availability — confidentiality and integrity are not affected. According to the EPSS forecast, this issue sits in the upper percentile range for predicted exploitation activity, though no in-the-wild exploitation has been reported and the issue is not listed on the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is improper IRP state tracking inside the HDAudBus_DMA dispatch path. The driver does not validate whether an IRP has already been completed before processing subsequent completion requests. Repeated completion calls against the same or chained IRPs corrupt the driver's internal resource state, producing a denial-of-service outcome.
Attack Vector
Exploitation requires local access. An attacker must execute a malicious script or application on the target host with at least standard user privileges. The malicious code opens a handle to the HDAudBus_DMA interface and issues a sequence of crafted IRP Complete requests. Some user interaction is required to launch the attacker-supplied payload. Successful exploitation crashes the audio bus driver and denies audio services until the system or driver is restarted.
No verified proof-of-concept code is publicly available. Technical analysis of the vulnerability is documented in the Talos Intelligence Vulnerability Report TALOS-2024-2008.
Detection Methods for CVE-2024-45383
Indicators of Compromise
- Unexpected crashes or restarts of the Windows audio service (audiosrv) or HDAudBus.sys driver faults in the system event log.
- Bug-check or Windows Error Reporting entries referencing HDAudBus.sys on hosts running build 10.0.19041.3636.
- Unsigned or unusual user-mode processes opening device handles to the High Definition Audio Bus driver interface.
Detection Strategies
- Monitor DeviceIoControl activity targeting the HDAudBus_DMA interface from non-system processes.
- Correlate audio driver fault events with recent process executions to identify suspicious binaries that preceded the crash.
- Alert on repeated IRP completion calls or rapid handle-open-and-close patterns against audio bus devices from user-mode code.
Monitoring Recommendations
- Centralize Windows Event Log collection for System and Application channels, focusing on driver fault and service stop events.
- Track installed driver versions across the fleet to identify hosts still running the affected 10.0.19041.3636 build.
- Baseline normal access patterns to audio devices so anomalous handle activity from new or untrusted binaries is flagged for review.
How to Mitigate CVE-2024-45383
Immediate Actions Required
- Inventory Windows hosts running High Definition Audio Bus Driver 10.0.19041.3636 and prioritize patching on systems where local users execute untrusted code.
- Apply the latest Microsoft cumulative updates that supersede the affected driver build.
- Restrict execution of unsigned scripts and applications through Windows Defender Application Control or AppLocker policies.
Patch Information
Microsoft addresses driver-level issues through cumulative Windows updates. Administrators should ensure target systems receive the latest monthly servicing-stack and cumulative updates that ship a revised HDAudBus.sys. Refer to the Talos Intelligence Vulnerability Report TALOS-2024-2008 for vendor coordination details. No vendor advisory URL is currently listed in NVD for this CVE.
Workarounds
- Limit local logon rights and remove standard users from systems where audio functionality is non-essential to reduce the local attack surface.
- Enforce application allow-listing to prevent execution of unverified user-mode binaries capable of opening the HDAudBus_DMA interface.
- Where feasible on servers and kiosks that do not require audio, disable the High Definition Audio Bus device in Device Manager until patches are applied.
# Identify the installed High Definition Audio Bus driver version on a Windows host
pnputil /enum-drivers | findstr /i "hdaudbus"
# Query the driver file version directly
powershell -Command "(Get-Item C:\Windows\System32\drivers\HDAudBus.sys).VersionInfo.FileVersion"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
