Advisory Details

This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the implementation of DirectComposition in the win32kbase driver. Crafted parameters to a system call can trigger a dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

04/28/23 – ZDI reported the vulnerability to the vendor.
05/02/23 – The vendor acknowledged the report.
05/23/23 – The vendor states this case doesn’t meet the bar for immediate servicing.
05/23/23 – ZDI informed the vendor of our intention to publish this as a zero-day advisory.
02/05/24 – The vendor states this case might be fixed but would verify.
08/05/24 – The ZDI informed the vendor that we are publishing this case as a zero-day advisory on 08/06/24.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application

• 2023-04-28 - Vulnerability reported to vendor
• 2024-08-06 - Coordinated public release of advisory
• 2024-08-15 - Advisory Updated