Attacker Value

CVE-2020-1143: Win32k Use-After-Free

Last updated May 20, 2020


(1 user assessed) Very Low
Attack Vector
Privileges Required
User Interaction


An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Add Assessment

Technical Analysis

A vulnerability exists within the Win32k subsystem (provided by the win32k.sys, win32kbase.sys, and win32kfull.sys drivers) on Windows 10 that can be leveraged to trigger a Use-After-Free condition where by freed memory is used by win32kbase!GreUnlockRegion.

From my testing of the public PoC, I found this bug unreliable to trigger. Even with Driver Verifier enabled and standard settings (including SpecialPool) enabled, no exception and Blue Screen occurred. From reading through the PoC it looks like there is some kind of edge condition (possibly a race) that requires the PoC to re-execute itself (via CreateProcessA) to attempt to trigger the vulnerability.

Do to the unreliable nature of the PoC and the difficulty of replacing the freed memory within the heap, I believe this vulnerability would be difficult to exploit reliably. Successful execution however would take place within the Windows Kernel, effectively offering a complete compromise of the affected system.

General Information

Additional Info

Technical Analysis