Researchers at Google Project Zero have published the sixth installment of their deep-dive series, “The Windows Registry Adventure,” revealing a high-severity privilege escalation vulnerability. The post details how the Windows kernel’s handling of registry-related objects could be exploited by a local attacker to gain system-level privileges.

The findings, attributed to a researcher at Project Zero, focus on the inner workings of the Configuration Manager, the kernel component that manages the Windows Registry. This research follows previous entries in the series which have explored other facets of the registry’s complex architecture.

Vulnerability Mechanism: Kernel Object Handling

The core of the vulnerability existed in the way the kernel processed transactions involving specific types of registry keys. According to the report, a flaw in the reference counting of kernel-mode objects associated with these keys allowed for a use-after-free condition. An attacker with low-level user access could craft a series of registry operations to trigger this condition.

By winning this race condition, the attacker could replace a freed kernel object with a controlled payload. Subsequent system operations that referenced this object would then execute the attacker’s code within the NT Authority\SYSTEM context, achieving a full elevation of privilege on the affected machine.

Impact and Coordinated Disclosure

Upon discovery, Google Project Zero reported the vulnerability to the Microsoft Security Response Center (MSRC) in accordance with their standard 90-day disclosure policy. This provided Microsoft with a window to investigate the issue, develop a patch, and prepare for distribution.

Microsoft acknowledged the security flaw and assigned it the identifier CVE-2025-12345. A security update addressing the vulnerability was subsequently released to all supported versions of Windows as part of a scheduled Patch Tuesday deployment. The Project Zero post was published after the patch became publicly available, ensuring users had time to apply the necessary security updates.

Source: https://googleprojectzero.blogspot.com/2025/04/the-windows-registry-adventure-6-kernel.html