Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local standard-user access (PR:L) with a triggering process query needed (UI:R); SYSTEM-level heap write yields high C/I/A; scope kept S:U to match vendor SC/SI/SA:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to unchecked PEB string lengths in process command-line and current-directory reads. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.
AnalysisAI
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the processes table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution as a standard (unprivileged) user on a Windows host running a vulnerable osquery (<5.23.1); the attacker must be able to start a process and control its PEB command-line and current-directory string Length values. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H, base 7.0) is internally consistent with the description: local vector, low attacker privileges required, and a passive user-interaction/context requirement (the SYSTEM-level osquery agent must run the process query). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard-user attacker with an interactive or code-execution foothold on a Windows host launches a process whose PEB command-line or current-directory UNICODE_STRING Length fields are set to oversized values. When the osquery agent (running as SYSTEM) next executes a scheduled or distributed query against the `processes` table, it reads those crafted lengths and performs a heap out-of-bounds write, which a skilled attacker can shape into code execution in the SYSTEM context. … |
| Remediation | Vendor-released patch: 5.23.1 - upgrade all Windows osquery deployments to 5.23.1 or later, which adds bounds checking on the PEB string lengths (see commit 3d457c412eb0c986b0c37d8903edae8bc9f9e246 via PR https://github.com/osquery/osquery/pull/8934 and advisory https://github.com/osquery/osquery/security/advisories/GHSA-4r78-6hg6-33gg). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Windows systems running osquery and document current versions; assess criticality of osquery to security operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
osquery before version 4.4.0 enables a privilege escalation vulnerability. Rated high severity (CVSS 8.2), this vulnerab
An issue was discovered in osquery. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, lo
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Rated medium severity (C
Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard l
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a m
File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permiss
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42919