Windows kernel zero-day vulnerability used in targeted attacks


Level 37
Thread author
Top poster
Feb 4, 2016
Project Zero, Google's 0day bug-hunting team, today disclosed a zero-day elevation of privileges (EoP) vulnerability found in the Windows kernel and actively exploited in targeted attacks.

The flaw is a pool-based buffer overflow that exists in the Windows Kernel Cryptography Driver (cng.sys) and it is currently tracked as CVE-2020-17087.

Proof of concept exploit available

The Windows kernel bug zero-day can be exploited by local attackers for privilege escalation (including sandbox escape) according to Project Zero security researchers Mateusz Jurczyk and Sergei Glazunov.

"The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue," the researchers explain.
Last edited by a moderator:

ForgottenSeer 85179


Staff member
Malware Hunter
Jul 27, 2015
Patched or not yet?
A patch is expected by November 10, 2020, which would be the next "Patch Tuesday" from Microsoft.

In an emailed statement, a Microsoft spokesperson said the company is working on a fix and characterized the known targeted attack as limited.


Level 63
Honorary Member
Top poster
Content Creator
Apr 24, 2016
Two quotes from this article:
Malware already on a system, or a rogue insider, can potentially exploit this buggy driver to gain admin-level control of a vulnerable Windows box. The flaw, designated as CVE-2020-17087, is the result of improper 16-bit integer truncation that can lead to a buffer overflow.
However, the Windows giant suggested exploitation would be difficult because an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system. Microsoft says the only known remote-based attack chain for this vulnerability has been dealt with, a hole in Chromium-based browsers (CVE-2020-15999) that was fixed this month.
It seems to me like no problem for the average person and that it will be fixed next Patch Tuesday November 10.