CVE-2024-43491

FAQ

How do I restore the fixes that this Windows Servicing Stack vulnerability rolled back?

Customers need to install both the servicing stack update (KB5043936) AND security update (KB5043083), released on September 10, 2024, to be fully protected from the vulnerabilities that this CVE rolled back. For more information see KB5043083.

Customers whose systems are configured to receive automatic updates do not need to take any further action.

This CVE is marked as Exploitation Detected. Has Microsoft seen this vulnerability exploited in the wild?

This CVE documents the rollback of fixes that addressed vulnerabilities which affected some Optional Components for Windows 10 (version 1507). Some of these CVEs were known to be exploited, but no exploitation of CVE-2024-43491 itself has been detected.

In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known.

Are there any actions I can take to prevent the rollback of previously fixed CVEs that this vulnerability caused?

No. If you have installed any of the previous security updates released between March and August 2024, the rollbacks of the fixes for CVEs affecting Optional Components have already occurred. To restore these fixes customers need to install the September 2024 Servicing Stack Update and Security Update for Windows 10.

For more information see KB5043083.

Why were previously fixed CVEs rolled back?

Starting with the Windows security update released March 12, 2024 - KB5035858 (OS Build 10240.20526), the build version numbers crossed into a range that triggered a code defect in the Windows 10 (version 1507) servicing stack that handles the applicability of Optional Components. As a result, any Optional Component that was serviced with updates released since March 12, 2024 (KB5035858) was detected as "not applicable" by the servicing stack and was reverted to its RTM version.

Are all installations of Windows vulnerable?

No. Only Windows 10 (version 1507) (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) with Optional Components enabled from the following list are vulnerable. All other versions of Windows 10 released since November 2015 are not affected.

• .NET Framework 4.6 Advanced Services \ ASP.NET 4.6
• Active Directory Lightweight Directory Services
• Administrative Tools
• Internet Explorer 11
• Internet Information Services\World Wide Web Services
• LPD Print Service
• Microsoft Message Queue (MSMQ) Server Core
• MSMQ HTTP Support
• MultiPoint Connector
• SMB 1.0/CIFS File Sharing Support
• Windows Fax and Scan
• Windows Media Player
• Work Folders Client
• XPS Viewer