CVE-2021-34486: Event Tracing for Windows (ETW) TimerCallbackContext Object Use-After-Free Vulnerability

The Event Tracing for Windows (ETW) mechanism allows the logging of kernel or application-defined events for debugging purposes. Developers are able to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events by calling the ETW set of user-mode Windows APIs. Eventually these will lead to corresponding syscall requests to the kernel (ntoskrnl.exe) to perform the functionalities.

In the ETW request to update periodic capture state, under specific conditions, there exist an use-after-free vulnerability whereby an attacker is able to controllably allocate a 0x30-bytes buffer, free it and reuse this buffer subsequently to execute arbitrary code.

Read More