Windows Telephony Service (TapiSrv) Elevation of Privilege Use-After-Free
CVE-2024-26230 is an elevation-of-privilege vulnerability in the Microsoft Windows Telephony Service (TapiSrv), specifically in tapisrv.dll. The provided content attributes the root cause to a use-after-free in FreeDialogInstance, which frees a GOLD object while a context handle still retains a pointer to it. A subsequent call path through TUISPIDLLCallback dereferences the stale pointer and invokes a virtual function on the freed object. The described exploitation technique reclaims the freed heap region with attacker-controlled data by abusing user-writable Telephony registry values under Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities, particularly via the RequestMakeCall path. The attacker uses Telephony RPC interfaces such as ClientAttach, ClientRequest, and ClientDetach, with ClientRequest dispatching based on a function selector in the request buffer, to create the object, free it, replace it with a fake object, and then trigger the callback that transfers control through the forged object. The content identifies Windows 10 Version 22H2 Build 19045.3803 AMD64 as an affected example and places the vulnerable code in C:\Windows\System32\tapisrv.dll.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a working exploit for CVE-2024-26230, a vulnerability in the Microsoft Windows TAPI (Tapisrv) service. The exploit is implemented in C++ and is structured as a Visual Studio project, with the main logic in 'CVE-2024-26230.cpp' and supporting code in several header and helper files. The exploit leverages crafted RPC requests to the Tapisrv service, manipulating heap memory and function pointers to achieve arbitrary DLL injection. The payload path is hardcoded as 'C:\users\kiwi\desktop\test.dll', which will be loaded into the Tapisrv process using LoadLibraryA. The exploit requires access to the Tapisrv RPC endpoint, which may be exposed via a named pipe (\\pipe\tapsrv) or over TCP/IP (e.g., 10.4.99.1). The code includes helper classes for interacting with Windows services and detailed structures for the crafted RPC messages. The exploit is marked as unstable and is intended for research purposes only. The repository does not include a detection script or Metasploit module, and the exploit is operational with a hardcoded payload.
This repository contains a local privilege escalation exploit targeting the Microsoft Windows Telephony Application Programming Service (TAPSRV) via its RPC interface. The main exploit logic resides in 'exp/exp.cpp', which orchestrates a Use-After-Free (UAF) attack by manipulating the TAPSRV RPC context and request handling. The exploit crafts specific RPC requests to create and free objects in the service, then reuses freed memory to inject a payload. The payload is a DLL (e.g., 'C:\Users\SRHla\AppData\Roaming\hack.dll') that is written into memory and loaded into the TAPSRV process using VirtualAlloc and LoadLibraryW, resulting in code execution as SYSTEM. The exploit also manipulates a registry value ('HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\RequestMakeCall') to facilitate the attack. The repository includes MIDL-generated RPC stubs and headers for the TAPSRV interface, as well as helper code for RPC binding. The attack vector is local, requiring the attacker to execute code on the target machine. The exploit demonstrates operational maturity, providing a working payload and detailed exploitation steps.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows Telephony Service (TapiSrv) elevation-of-privilege vulnerability caused by a use-after-free in FreeDialogInstance, exploitable to gain code execution and escalate privileges to SYSTEM.
A Windows Telephony Service (TapiSrv) elevation-of-privilege vulnerability caused by a use-after-free in FreeDialogInstance, exploitable to gain code execution and escalate privileges to SYSTEM.
Elevation of privilege vulnerability in Windows Telephony Server; assessed as more likely to be exploited within 30 days.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.