Google Project Zero (GPZ) has this week disclosed a vulnerability in Microsoft Windows that has already been exploited in the wild. According to the cybersecurity team, the zero-day allows bad actors to engage in privilege escalation and sandbox escape attacks, albeit only with local access.

This is the second Microsoft-related disclosure from GPZ this week. On Monday, Google’s security team disclosed a vulnerability in GitHub after the Microsoft-owned service failed to issue a fix in time.

If you are unfamiliar with Google Project Zero, it is a security team that hunts for security holes in popular software solutions. When a vulnerability is found, Google gives developers 90 days to issue a fix. If no action is taken, Project Zero publicly discloses the flaw.

With the GitHub disclosure it made sense, there was no fix issued within 90 days. However, this new Windows vulnerability is different. In fact, GPZ is disclosing the problem just seven days after it was first found.

This clearly has given Microsoft little time to issue a patch and goes against Google Project Zero’s usual methods. However, the team points out action was needed because the bug has already been exploited.


The zero-day (CVE-2020-17087) occurs in Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL). This is what Windows uses for input and output operations on devices that are outside normal system calls.

“[Cng.sys] exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” according to the bug report, published last Friday. “We have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.”

“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” the Project Zero team adds. “The integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.”

Attacks are already happening, says Shane Huntley from Google’s Threat Analysis Group. However, he points out they are not related to this week’s U.S. Presidential election.