Multiple vulnerabilities in Microsoft Streaming Service

Published: 2024-06-11 | Updated: 2024-10-22

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-30090 CVE-2024-30089
CWE-ID	CWE-822 CWE-416
Exploitation vector	Local
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system
Vendor	Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Untrusted Pointer Dereference

EUVDB-ID: #VU91702

Risk: Low

CVSSv4.0: 6.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2024-30090

CWE-ID: CWE-822 - Untrusted Pointer Dereference

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to untrusted pointer dereference in Microsoft Streaming Service. A local user can win a race condition and gain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: before

Windows Server: before

CPE2.3

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-30090

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Use-after-free

EUVDB-ID: #VU91703

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-30089

CWE-ID: CWE-416 - Use After Free

Exploit availability: No