CVE-2024-38041 is an information leak vulnerability in the Windows AppID driver (appid.sys). The flaw lies in the handler for IOCTL code 0x22A014, which lacks proper validation of the caller's access mode. Specifically, the AipDeviceIoControlDispatch function does not verify that the request originates from kernel mode. As a result, a user-mode process running as LOCAL SERVICE can trigger this IOCTL to leak kernel pointers via a shared SystemBuffer. By impersonating the LOCAL SERVICE account and invoking the vulnerable IOCTL, an attacker can leak kernel addresses, bypassing KASLR and paving the way for further kernel exploitation.

CVE-2024-21338 is a privilege escalation vulnerability in the Windows AppLocker driver (appid.sys). The flaw resides in the AipSmartHashImageFile function, reachable via IOCTL 0x22A018, which allows user-mode input to control code execution. Specifically, the function dereferences two user-provided pointers from a shared SystemBuffer without verifying their validity or origin. One of these pointers is treated as a function pointer and is called directly from kernel mode.

A vulnerability in the Windows Hyper-V NT Kernel Integration VSP driver exists due to a vulnerable function, VkiRootAdjustSecurityDescriptorForVmwp(), which can be invoked from user mode. This leads to a heap-based buffer overflow, ultimately resulting in privilege escalation.

CVE-2024-30084 is a privilege escalation vulnerability in the Microsoft Kernel Streaming driver (ks.sys) caused by a race condition in how user-supplied data is handled.