Attacker Value
(1 user assessed)
Very Low
(1 user assessed)
User Interaction
Privileges Required
Attack Vector

CVE-2020-1143: Win32k Use-After-Free

Last updated May 20, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Add Assessment

Technical Analysis

A vulnerability exists within the Win32k subsystem (provided by the win32k.sys, win32kbase.sys, and win32kfull.sys drivers) on Windows 10 that can be leveraged to trigger a Use-After-Free condition where by freed memory is used by win32kbase!GreUnlockRegion.

From my testing of the public PoC, I found this bug unreliable to trigger. Even with Driver Verifier enabled and standard settings (including SpecialPool) enabled, no exception and Blue Screen occurred. From reading through the PoC it looks like there is some kind of edge condition (possibly a race) that requires the PoC to re-execute itself (via CreateProcessA) to attempt to trigger the vulnerability.

Do to the unreliable nature of the PoC and the difficulty of replacing the freed memory within the heap, I believe this vulnerability would be difficult to exploit reliably. Successful execution however would take place within the Windows Kernel, effectively offering a complete compromise of the affected system.

General Information

Additional Info

Technical Analysis