Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Under what circumstances might this vulnerability be exploited other than as a denial of service attack against a Hyper-V host? This issue allows a guest VM to force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address. The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address. It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host's security. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, a successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest's security boundary to gain access to the Hyper-V host environment.
<a href="https://x.com/0xashutosh">Ashutosh</a> with <a href="https://www.skyhighsecurity.com/">skyhighsecurity</a>