Appid.sys

CVE-2024-21338 - Windows AppLocker Kernel Elevation of Privilege Vulnerability

Ghostbyt3 1Day Breakdown 4 min read
CVE-2024-21338 is a privilege escalation vulnerability in the Windows AppLocker driver (appid.sys). The flaw resides in the AipSmartHashImageFile function, reachable via IOCTL 0x22A018, which allows user-mode input to control code execution. Specifically, the function dereferences two user-provided pointers from a shared SystemBuffer without verifying their validity or origin. One of these …
Read more…

CVE-2024-38041 - Windows AppLocker Exposure of Sensitive Information to an Unauthorized Actor

Ghostbyt3 1Day Breakdown 3 min read
CVE-2024-38041 is a information leak vulnerability in the Windows AppID driver (appid.sys). The flaw lies in the handler for IOCTL code 0x22A014, which lacks proper validation of the caller’s access mode. Specifically, the AipDeviceIoControlDispatch function does not verify that the request originates from kernel mode. As a result, a user-mode process running as LOCAL SERVICE can trigger …
Read more…