CVE-2024-30098: Windows Cryptographic Services Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Jul

Released

2024-07-09

Last Updated

2026-02-10

EPSS Score

3.08% (percentile: 86.8%)

FAQ

Are there any further actions I need to take to be protected from this vulnerability? Yes. The Windows Smart Card infrastructure relies on the Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) to isolate cryptographic operations from the Smart Card implementation. The KSP is part of the Crypto Next Generation (CNG) architecture and is intended to support modern smart cards. In the case of RSA based certificates, the Smart Card Certificate Propagation service automatically overrides the default and uses the CSP instead of the KSP. This limits usage to the cryptography provided by the CSP and does not benefit from the modern cryptography provided by the KSP. IMPORTANT REMINDER: The DisableCapiOverrideForRSA registry key will be removed. UPDATE February 10, 2026: Based on feedback from customers and software vendors, Microsoft is extending the removal date for the DisableCapiOverrideForRSA registry key from April 2026 to February 9, 2027.. This extension provides additional time to develop, test, and update applications that rely on the previous CSP-based behavior. The security fix remains enabled by default. UPDATE December 9, 2025: The October 14, 2025, Windows updates addressing CVE-2024-30098 revealed issues in applications where the code does not correctly identify which provider is managing the key for certificates propagated from a smart card to the certificate store. This misidentification can cause cryptographic operations to fail in certain scenarios. Please see Guidance for certificate handling for Smart Card propagated certificates for guidance for application developers on how to detect the correct handler and resolve these issues. UPDATE October 14, 2025: Starting with the October 2025 security updates, the fix will be enabled by default (DisableCapiOverrideForRSA set to 1) and the KSP will be used for RSA based certificates in the Smart Card Certificate Propagation service. If you discover applications relying on the old behavior, the D

Affected Products (31)

Windows

• Windows Server 2025 (Server Core installation)
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2025
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 11 version 21H2 for x64-based Systems
• Windows 11 version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (10)

• 5066835
• 5066586
• 5066782
• 5040431
• 5066791
• 5066793
• 5066780
• 5066837
• 5066836
• 5066873

Acknowledgments

Anonymous

Revision History

• 2024-07-09: Information published.
• 2024-07-10: Added FAQ to explain how this vulnerability is being addressed and further actions customers must take to be protected from it. This is an informational change only.
• 2025-03-11: The following updates have been made to CVE-2024-30098: In the Security Updates table, added all supported versions of the following as they are affected by this vulnerability: Windows 11 24H2 and Windows Server 2025. To comprehensively address this vulnerability, Microsoft has released March 2025 security updates for all affected versions of Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2022 23H2 Edition, Windows 10, and Windows 11. Updated the "Are there any further actions I need to take to be protected from this vulnerability?" FAQ to state that Starting with the April 2025, the fix will automatically generate an audit event in cases where the Cryptographic Service Provider (CSP) is being used with RSA keys. If you have not already enabled the fix using the DisableCapiOverrideForRSA setting, you should monitor your systems for any error events in the Windows system event log. See the FAQ section of this CVE for more information.
• 2025-03-26: Updated links to security updates. This is an informational change only.
• 2025-10-14: The following updates have been made to CVE-2024-30098: In the Security Updates table, added all supported versions Windows 11 25H2 as they are affected by the vulnerability. To enable the fix by default, Microsoft has released October 2025 security updates for all affected versions of Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2022 23H2 Edition, Windows 10, and Windows 11. Updated the "Are there any further actions I need to take to be protected from this vulnerability?" FAQ to state that starting with the October 2025 security updates, the fix will be enabled by default (DisableCapiOverrideForRSA set to 1) and the KSP will be used for RSA based certificates in the Smart Card Certificate Propagation service. If you discover applications relying on the old behavior, the DisableCapiOverrideForRSA registry key can be set back to 0 to switch back to auditing mode. The DisableCapiOverrideForRSA registry key will be removed in April 2026. See the FAQ section of this CVE for more information.
• 2025-12-09: Updated the "Are there any further actions I need to take to be protected from this vulnerability?" FAQ as follows: Added a reminder to customers that The DisableCapiOverrideForRSA registry key will be removed in April 2026. Added an update that states: The October 14, 2025, Windows updates addressing CVE-2024-30098 revealed issues in applications where the code does not correctly identify which provider is managing the key for certificates propagated from a smart card to the certificate store. This misidentification can cause cryptographic operations to fail in certain scenarios. Please see Guidance for certificate handling for Smart Card propagated certificates for guidance for application developers on how to detect the correct handler and resolve these issues. These are informational changes only.
• 2026-02-10: DisableCapiOverrideForRSA registry key removal date has been updated to 2/9/2027.