CVE-2009-2516

Description

The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly validate data sent from user mode, which allows local users to gain privileges via a crafted PE .exe file that triggers a NULL pointer dereference during chain traversal, aka "Windows Kernel NULL Pointer Dereference Vulnerability."

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Affected products

Microsoft / windows_2000
Microsoft / windows_server_2003
Microsoft / windows_server_2008
Microsoft / windows_server_2008
Microsoft / windows_server_2008
Microsoft / windows_vista
Microsoft / windows_vista
Microsoft / windows_vista
Microsoft / windows_xp
Microsoft / windows_xp
Microsoft / windows_xp
Microsoft / windows_xp
Microsoft / windows_xp
Microsoft / windows_xp

References

MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6264
MISChttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-058
MISChttp://www.us-cert.gov/cas/techalerts/TA09-286A.html
VENDOR_ADVISORYhttp://www.nsfocus.com/en/advisories/0903.html