HIGHCVSS7.8

Windows CSC Service Heap-Based Buffer Overflow — Local EoP to SYSTEM (CVE-2024-26229)

A heap-based buffer overflow in the Windows CSC (Offline Files) service lets a low-privilege local user escalate to SYSTEM. A public PoC was released within weeks of the April 2024 disclosure and is now bundled into common post-exploitation toolkits. Apply the April 2024 cumulative update.

Published Apr 9, 2024 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker with any local foothold can escalate to SYSTEM, dump LSASS, disable security tooling, and persist with kernel-level privilege. The bug is reachable from any user account that can open the CSC device — by default that includes every interactive user on the host. On multi-user systems (RDS, terminal servers, jump hosts) this gives any logged-in user a one-step path to full host compromise.

How the attack works

A heap-based buffer overflow in the Windows CSC (Client Side Caching) service — better known as Offline Files — allows a low-privilege local process to corrupt kernel memory and escalate to SYSTEM. The CSC driver is loaded by default on every Windows Server even when Offline Files is not actively used, because the feature ships enabled and the driver is loaded at boot. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2022 23H2 prior to the April 2024 Patch Tuesday.

Am I affected?Quick check

Probably yes if any of these apply:

●All Windows Servers (RDS, terminal servers, jump hosts)

●Multi-user Windows hosts

●Any host an attacker can land low-privilege code on

●Running Windows Server 2008 SP2 through Windows Server 2022 23H2, prior to the April 2024 cumulative update

Affected OS versions

Windows Server 2008 SP2Windows Server 2008 R2 SP1Windows Server 2012Windows Server 2012 R2Windows Server 2016Windows Server 2019Windows Server 2022Windows Server 2022 23H2

Fixed inApril 2024 Patch Tuesday cumulative update (see manual_steps for per-OS KB lookup)

Real-world incidentsWhat we've seen

CVE-2024-26229 was reported by an independent researcher (Varonis) and disclosed in the April 2024 Patch Tuesday rollup. A working exploit appeared on GitHub within two weeks of disclosure and has since been packaged into Cobalt Strike companion tooling, Metasploit modules, and Sliver scripts. Initial-access actors routinely chain it after a phishing-delivered payload to obtain SYSTEM on the host before pivoting. Microsoft rates exploitation "Less Likely" but real-world telemetry contradicts that — the bug is widely weaponised.

How to patch

Manual remediation steps

⏱ 30–60 minutes including reboot

Apply the April 2024 cumulative update

Open Microsoft Update Catalog: https://catalog.update.microsoft.com

Search for CVE-2024-26229 to find the current superseding cumulative for your OS

Approve via WSUS / SCCM, or download the MSU and run as Administrator

Restart the server

Workaround — disable the CSC driver (only if Offline Files not in use)

# WARNING: Verify no users or applications rely on Offline Files first.
# The CSC service is required for the Offline Files feature; disabling it
# breaks file sync for redirected folders and offline-cached file shares.
Set-Service -Name CscService -StartupType Disabled
Stop-Service -Name CscService -Force

# Also disable the kernel driver:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CSC" `
  -Name Start -Value 4
Restart-Computer

Verify

# Confirm cscapi.dll / cscobj.dll / cscservice files are patched:
Get-ChildItem C:\Windows\System32\csc*.dll | Select-Object Name, VersionInfo
# Confirm OS build is at or above the April 2024 level:
[System.Environment]::OSVersion.Version
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-26229 ↗ MSRC Advisory ↗ NVD