Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local low-privileged user (PR:L, AV:L) needs a query to touch the malicious binary (UI:R); heap overflow in the SYSTEM process yields full C/I/A impact with no cross-system scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.
AnalysisAI
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local, already-authenticated standard user on a Windows host running osquery (PR:L), the ability to write a maliciously crafted binary to a location osquery can read, and a query of the authenticode table that targets that binary - the malicious publisher information is parsed by getOriginalProgramName during that query (UI:P, the query acts on the attacker's file). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H, base 7.0) is internally consistent with the description: local access, low complexity, low privileges already required, and passive user interaction (a query must reach the malicious binary), yielding high confidentiality/integrity/availability impact but no subsequent-system scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard user drops a specially crafted signed (or malformed-signature) binary onto the host, then waits for-or induces-an osquery query against the authenticode table that targets that file, such as a fleet-wide scheduled query enumerating executables. Parsing the malicious publisher fields in getOriginalProgramName triggers the heap out-of-bounds write inside the SYSTEM-level osquery process, potentially yielding SYSTEM-level code execution. … |
| Remediation | Upgrade to the vendor-released patch: osquery 5.23.1 (https://github.com/osquery/osquery/releases/tag/5.23.1), which contains the fix (PR https://github.com/osquery/osquery/pull/8923, commit 59a808cda96d5a089cf6ec147efe152459284d54); see advisory GHSA-hr28-jvpx-68cx (https://github.com/osquery/osquery/security/advisories/GHSA-hr28-jvpx-68cx). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify and document all Windows systems running osquery versions prior to 5.23.1; assess criticality of each endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
osquery before version 4.4.0 enables a privilege escalation vulnerability. Rated high severity (CVSS 8.2), this vulnerab
An issue was discovered in osquery. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, lo
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Rated medium severity (C
Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard l
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM
File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permiss
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42918