Windows NT OS Kernel Integer Overflow — Local EoP From Low-Privilege User to SYSTEM (CVE-2024-43623)
An integer overflow in the Windows NT kernel lets a low-privilege local user escalate to SYSTEM. Microsoft rates exploitation "More Likely". Apply the November 2024 cumulative update across the fleet — this is a standard chained-exploit kernel EoP that pairs with phishing or any initial-access vector.
An attacker who has already obtained any code execution on the host — through a phishing payload, a service exploit, or a malicious RDP user — can use this bug to escalate to SYSTEM. From SYSTEM, the attacker can dump LSASS to extract credentials, disable EDR drivers, install kernel rootkits, and persist indefinitely. Local kernel EoPs like this are the standard "second stage" in modern intrusion chains and are routinely bundled into off-the-shelf post-exploitation frameworks.
An integer overflow in the Windows NT kernel allows a process running as a low-privilege user to corrupt kernel memory and escalate to SYSTEM. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2025 prior to the November 2024 Patch Tuesday. The Microsoft advisory rates the vulnerability "Exploitation More Likely" — meaning Microsoft expects reliable exploit code to emerge and be incorporated into commodity attack tooling within roughly 30 days.
Probably yes if any of these apply:
Affected OS versions
CVE-2024-43623 was patched in the November 2024 Patch Tuesday rollup. Microsoft's "Exploitation More Likely" rating is reserved for bugs with simple, reliable exploit primitives — integer overflows in the kernel typically meet that bar because the path from overflow to controlled write is well-understood. Multiple researchers published kernel-crash PoCs shortly after disclosure; weaponised versions are expected to surface in red-team toolkits.
Manual remediation steps
⏱ 30–60 minutes including rebootApply the November 2024 cumulative update
CVE-2024-43623 to find the current superseding cumulative for your OSDefence-in-depth — reduce local-attacker exposure
# Inventory accounts allowed to log on locally to multi-user servers:
secedit /export /cfg local-policy.txt /quiet
Select-String -Path local-policy.txt -Pattern "SeInteractiveLogonRight"
# Remove unnecessary "Allow log on locally" grants:
# Local Security Policy → Local Policies → User Rights Assignment →
# "Allow log on locally" and "Allow log on through Remote Desktop Services"
Verify
# Confirm the NT kernel is patched (build at or above November 2024 level):
(Get-Item C:\Windows\System32\ntoskrnl.exe).VersionInfo.FileVersion
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
Per-OS KB reference
Per-Windows-Server-version KB mapping for this vulnerability. Each KB is the cumulative update that contains the fix for the listed OS version. Apply the KB for the OS you are running.
| Windows Server version | Cumulative update | Microsoft Update Catalog | |---|---|---| | Windows Server 2012 R2 | KB5046682 | https://catalog.update.microsoft.com/Search.aspx?q=KB5046682 | | Windows Server 2016 | KB5046612 | https://catalog.update.microsoft.com/Search.aspx?q=KB5046612 | | Windows Server 2019 | KB5046615 | https://catalog.update.microsoft.com/Search.aspx?q=KB5046615 | | Windows Server 2022 | KB5046616 | https://catalog.update.microsoft.com/Search.aspx?q=KB5046616 | | Windows Server 2025 | KB5046696 | https://catalog.update.microsoft.com/Search.aspx?q=KB5046696 |
This per-OS KB table was added 2026-05-21 from MSRC ingestion data. Verify each KB against the live MSRC advisory for your environment.
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References