CVE-2005-2827
Description
The thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"Improper processing of Asynchronous Procedure Call (APC) queue entries during thread termination causes APC entries to free the wrong data."
Attack vector
An attacker must have valid logon credentials and be able to log on locally to the affected system [ref_id=1]. The attacker runs a specially-crafted application that triggers a flaw in the APC queue processing during thread termination. In this condition, the terminating thread causes APC entries to free the wrong data, allowing the attacker to modify kernel memory and redirect execution flow to gain elevated privileges [ref_id=1]. The vulnerability cannot be exploited remotely or by anonymous users.
Affected code
The vulnerability resides in the Windows kernel (NTOSKRNL.EXE) for Windows NT 4.0 and Windows 2000. The affected component is the thread termination routine that processes Asynchronous Procedure Call (APC) queue entries [ref_id=1]. No specific function names or file paths beyond the kernel image are disclosed in the advisory.
What the fix does
The security update addresses the vulnerability by modifying the way that Asynchronous Procedure Call (APC) queues are processed during thread termination [ref_id=1]. The patch ensures that APC entries are correctly freed, preventing the freeing of wrong data that could lead to kernel memory corruption. No further technical details about the specific code change are provided in the advisory.
Preconditions
- authAttacker must have valid logon credentials and be able to log on locally to the system
- inputAttacker must be able to run a specially-crafted application on the target system
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- secunia.com/advisories/15821nvdPatchVendor Advisory
- www.securityfocus.com/bid/15826nvdPatch
- secunia.com/advisories/18064nvd
- secunia.com/advisories/18311nvd
- securityreason.com/securityalert/252nvd
- securitytracker.com/idnvd
- support.avaya.com/elmodocs2/security/ASA-2005-234.pdfnvd
- www.eeye.com/html/research/advisories/AD20051213.htmlnvd
- www.osvdb.org/18823nvd
- www.securityfocus.com/archive/1/419377/100/0/threadednvd
- www.vupen.com/english/advisories/2005/2868nvd
- www.vupen.com/english/advisories/2005/2909nvd
- www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jspnvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-055nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/23447nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1583nvd
News mentions
0No linked articles in our index yet.