CVE-2019-0570
Description
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory, aka "Windows Runtime Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-0570 is an elevation of privilege vulnerability in Windows Runtime due to improper handle validation during COM marshaling of RestrictedErrorInfo objects.
Vulnerability
CVE-2019-0570 is an elevation of privilege vulnerability in the Windows Runtime that occurs when the RestrictedErrorInfo COM object is marshaled across apartment or process boundaries. The flaw resides in the custom marshaling protocol used to pass structured error information. During unmarshaling, the code opens the client process and duplicates a handle to a section object without properly validating the handle's validity. This allows an attacker to cause a use-after-free (UAF) condition by closing an unrelated handle. The vulnerability affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, and Windows 10 Servers [1].
Exploitation
An attacker must first have the ability to execute code on the target system at a low integrity level (e.g., as a standard user). The attacker can send a crafted RestrictedErrorInfo object to a higher-integrity process that supports custom marshaling, such as a system service or AppContainer process. By providing a malformed marshaled stream, the attacker can trigger the validated handle to be a dangling pointer, leading to a use-after-free when the unmarshaler duplicates or closes the handle [1]. The exploit requires no user interaction beyond initial code execution.
Impact
Successful exploitation allows the attacker to elevate privileges from a low-integrity process to a higher-integrity level, potentially achieving arbitrary code execution in the context of the target process. This can lead to full compromise of the system, including access to sensitive data, installation of programs, or modification of system settings [1]. The vulnerability crosses the user security boundary per Windows Security Service Criteria.
Mitigation
Microsoft released a security update in January 2019 as part of Patch Tuesday (KB4480960 and related) to address this vulnerability. Users should apply the latest Windows updates to their affected systems. No workaround is available other than applying the patch. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: 32-bit Systems
- Range: version 1709 (Server Core Installation)
- Range: 32-bit systems
- Range: Windows RT 8.1
(Server Core installation)+ 1 more
- (no CPE)range: (Server Core installation)
- (no CPE)range: (Server Core installation)
- Range: (Server Core installation)
- Range: (Server Core installation)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The WinRT RestrictedErrorInfo unmarshal code does not verify that the handle it receives is actually a section object, and it assumes ownership of the handle, closing it after use and causing a use-after-free on an arbitrary handle in the target process."
Attack vector
An attacker marshals a RestrictedErrorInfo object with a crafted handle value that points to an existing handle (e.g., a file handle) in the target privileged process. The handle's object name must match the pattern "RestrictedErrorObject-" in its last 60 characters, which can be satisfied by a BITS temporary file path. When the target process unmarshals the object, it validates the handle by name only [ref_id=1], then closes it, causing a use-after-free on that handle. The attacker can then replace the freed handle with a different resource (e.g., a writable file) and trick the process into writing attacker-controlled data to an arbitrary location [ref_id=1].
Affected code
The vulnerable function is `CRestrictedError::ValidateHandle` in the COM runtime's WinRT RestrictedErrorInfo implementation [ref_id=1]. This function uses `NtQueryObject` to retrieve the object name of the supplied handle but never checks that the handle's object type is a section. It also unconditionally assumes ownership of the handle and closes it when the `RestrictedErrorInfo` object is released [ref_id=1].
What the fix does
No patch is shown in the bundle. The advisory recommends that the unmarshal code should verify that the handle is actually a section object (e.g., by checking the object type via NtQueryObject) rather than relying solely on name matching [ref_id=1]. Additionally, the code should not assume ownership of a handle that was not created by the unmarshaler itself. Without these fixes, an attacker can supply a handle to any named object whose name ends with "RestrictedErrorObject-*" and have it closed, leading to a use-after-free.
Preconditions
- configThe target process must accept marshaled RestrictedErrorInfo objects (e.g., BITS service or other system services that allow WinRT COM marshaling).
- networkThe attacker must be able to send a crafted marshaled stream to the target process.
- inputThe attacker must know or brute-force a handle value in the target process that points to an object whose name ends with 'RestrictedErrorObject-*' (e.g., a BITS temporary file handle).
Reproduction
1. Compile the provided C# PoC project (requires NtApiDotNet from NuGet). 2. Run the PoC executable. The PoC creates a file matching the required naming pattern, inserts the file handle into marshaled RestrictedErrorInfo data, then unmarshals the data in the same process. After unmarshaling, the handle is closed, and a subsequent call to obtain the file's full path fails with STATUS_INVALID_HANDLE, demonstrating the use-after-free [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/46184/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/106415mitrevdb-entryx_refsource_BID
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0570mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.