CVE-2015-0010
Description
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CryptProtectMemory function in Windows kernel-mode driver cng.sys fails to check impersonation token level, allowing local users to bypass decryption restrictions.
Vulnerability
The CryptProtectMemory function in cng.sys (the Cryptography Next Generation driver) in Windows kernel-mode drivers does not check the impersonation token's level when the CRYPTPROTECTMEMORY_SAME_LOGON option is used. This affects Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 [1].
Exploitation
An attacker must be a local user and leverage a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data. By exploiting these conditions, the attacker can call CryptProtectMemory with the CRYPTPROTECTMEMORY_SAME_LOGON option and bypass decryption restrictions, as the function does not verify the impersonation level [1].
Impact
Successful exploitation allows a local attacker to decrypt data that was encrypted using the CRYPTPROTECTMEMORY_SAME_LOGON option, thereby bypassing the intended security feature. This is a security feature bypass vulnerability (MSRC ID 20707) that could lead to information disclosure [1].
Mitigation
Microsoft released security update MS15-010 (KB3036220) on February 10, 2015, which addresses the vulnerability by correcting the impersonation level check in CryptProtectMemory. Users should apply the update to mitigate the risk. No workaround is documented [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
- (no CPE)
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*+ 2 more
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010nvdPatchVendor Advisory
- code.google.com/p/google-security-research/issues/detailnvdExploitMailing ListThird Party Advisory
- www.securityfocus.com/bid/72461nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.