Skip to main content

osquery CVE-2026-54001

| EUVDEUVD-2026-42918 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-07-10 GitHub_M
7.0
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Local low-privileged user (PR:L, AV:L) needs a query to touch the malicious binary (UI:R); heap overflow in the SYSTEM process yields full C/I/A impact with no cross-system scope change.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 17:01 EUVD
Analysis Generated
Jul 10, 2026 - 16:16 vuln.today
CVE Published
Jul 10, 2026 - 14:49 cve.org
HIGH 7.0

DescriptionCVE.org

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.

AnalysisAI

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Standard user logs into Windows host
Delivery
Plant maliciously crafted binary on disk
Exploit
osquery authenticode query targets file
Execution
Malformed publisher parsed in getOriginalProgramName
Persist
Heap out-of-bounds write corrupts memory
Impact
Code execution as SYSTEM

Vulnerability AssessmentAI

Exploitation Exploitation requires a local, already-authenticated standard user on a Windows host running osquery (PR:L), the ability to write a maliciously crafted binary to a location osquery can read, and a query of the authenticode table that targets that binary - the malicious publisher information is parsed by getOriginalProgramName during that query (UI:P, the query acts on the attacker's file). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H, base 7.0) is internally consistent with the description: local access, low complexity, low privileges already required, and passive user interaction (a query must reach the malicious binary), yielding high confidentiality/integrity/availability impact but no subsequent-system scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard user drops a specially crafted signed (or malformed-signature) binary onto the host, then waits for-or induces-an osquery query against the authenticode table that targets that file, such as a fleet-wide scheduled query enumerating executables. Parsing the malicious publisher fields in getOriginalProgramName triggers the heap out-of-bounds write inside the SYSTEM-level osquery process, potentially yielding SYSTEM-level code execution. …
Remediation Upgrade to the vendor-released patch: osquery 5.23.1 (https://github.com/osquery/osquery/releases/tag/5.23.1), which contains the fix (PR https://github.com/osquery/osquery/pull/8923, commit 59a808cda96d5a089cf6ec147efe152459284d54); see advisory GHSA-hr28-jvpx-68cx (https://github.com/osquery/osquery/security/advisories/GHSA-hr28-jvpx-68cx). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify and document all Windows systems running osquery versions prior to 5.23.1; assess criticality of each endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy