Attacker Value
(1 user assessed)
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: June 09, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.


A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters.To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system.The update addresses the vulnerability by correcting how Windows Kernel handles parameter sanitization., aka ‘Windows Kernel Security Feature Bypass Vulnerability’.

Add Assessment

Technical Analysis

A vulnerability exists with the Windows kernel that can be used to bypass the NULL page mitigation feature that prevents users from allocating the memory that exists at the literal address 0. This is required for exploiting the class of memory corruption vulnerabilities known as NULL Page Dereferece or NULL Pointer Derefernce. This vulnerability would not be useful on it’s own but rather would make exploitation of another vulnerability practical.

In order to leverage this vulnerability, Intel’s SGX functionality must be available on the host. From my testing, the required functionality does not appear to be available from within virtual machines, meaning that a vulnerable environment would likely have to run on hardware. The vulnerability exists within the implementation of the NtCreateEnclave.

The function NtCreateEnclave is exposed through ntdll, was added in Windows 10 v1511 and uses the following signature (according to Process Hacker):

    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID* BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T Size,
    _In_ SIZE_T InitialCommitment,
    _In_ ULONG EnclaveType,
    _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
    _In_ ULONG EnclaveInformationLength,
    _Out_opt_ PULONG EnclaveError

NtCreateEnclave will return 0xc00000bb (STATUS_NOT_SUPPORTED) if the necessary SGX capabilities are unavailable, making identification relatively easy.

I flag this as “No useful access” because it’s most valuable as an exploit primitive, and does not provide any access or information on it’s on.


General Information


  • Microsoft


  • Windows
  • Windows Server
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1909 (Server Core installation)
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for x64-based Systems

Additional Info

Technical Analysis