CVE-2024-21338 — Local Privilege Escalation from Admin to Kernel
by hakaioffsec · 2026-05-15
- Severity
- High
- CVE
- CVE-2024-21338
- Category
- binary
- Affected product
- Microsoft Windows AppLocker driver path (\\Device\\AppID)
- Affected versions
- Windows 10 and Windows 11 with HVCI enabled (per source repository)
- Disclosed
- 2026-05-15
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-15 |
| Author / Researcher | hakaioffsec |
| CVE / Advisory | CVE-2024-21338 |
| Category | binary |
| Severity | High |
| CVSS Score | 7.8 (estimated, CVSSv3) |
| Status | Weaponized |
| Tags | LPE, Windows, AppLocker, token-impersonation, HVCI, admin-to-kernel, local-user |
Affected Target
| Field | Value |
|---|---|
| Software / System | Microsoft Windows AppLocker driver path (\\Device\\AppID) |
| Versions Affected | Windows 10 and Windows 11 with HVCI enabled (per source repository) |
| Language / Platform | C++ / Windows |
| Authentication Required | Yes (local administrator execution) |
| Network Access Required | Local only |
Summary
This PoC targets CVE-2024-21338, a Windows local privilege-escalation issue that enables escalation from local administrator context toward kernel-level control. The exploit chain performs token impersonation and then abuses an AppLocker IOCTL handler with crafted input structures. On vulnerable systems, successful execution gives kernel-impact privileges and full host takeover potential.
Vulnerability Details
Root Cause
The public PoC indicates unsafe handling in AppLocker AipSmartHashImageFile IOCTL processing (0x22A018), where attacker-influenced fields can be used to manipulate kernel object state. The exploit uses leaked kernel addresses and a gadget path to modify thread PreviousMode behavior.
Attack Vector
A local attacker with administrator-level execution runs the PoC binary on Windows 10/11 with HVCI enabled. The code impersonates privileged tokens and sends a crafted request to \\Device\\AppID via native API calls.
Impact
Local privilege escalation from administrator to kernel-level capabilities, enabling complete compromise of the host.
Environment / Lab Setup
OS: Windows 10 / Windows 11 (HVCI enabled)
Target: Vulnerable AppLocker IOCTL path
Attacker: Local administrator account in authorized test lab
Tools: Visual Studio (C++), Windows SDK
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
- Compile PoC using Visual Studio (Release or Debug).
- Execute as local administrator on an authorized vulnerable lab machine.
- Observe logs showing AppID device handle opening, IOCTL dispatch, and
PreviousModetransitions.
Exploit Code
See
poc.cppin this folder.
| |
Expected Output
[.] AppLocker (AppId) handle opened: 0x...
[.] Sending IOCTL request to 0x22A018 (AipSmartHashImageFile)
[.] Current PreviousMode -> 0
Screenshots / Evidence
screenshots/— add authorized lab screenshots showing successful exploitation indicators.
Detection & Indicators of Compromise
- Suspicious user-process access to \Device\AppID with IOCTL 0x22A018
- Token impersonation chain to SYSTEM/LOCAL SERVICE in unusual process context
- Native API patterns involving NtDeviceIoControlFile and NtWriteVirtualMemory
SIEM / IDS Rule (example):
Detect elevated user process -> \Device\AppID handle -> IOCTL 0x22A018
combined with privileged token impersonation behavior.
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft updates addressing CVE-2024-21338 |
| Workaround | Restrict execution of untrusted admin-level binaries and monitor AppID IOCTL activity |
| Config Hardening | Enforce least privilege, application allowlisting, and endpoint telemetry for native API abuse |
References
Notes
Auto-ingested from https://github.com/hakaioffsec/CVE-2024-21338 on 2026-05-15.
| |