Hunting for Overlooked Cookies in Windows 11 KTM and Baking Exploits for Them
Cedric Halbronn, Jael Koh
OffensiveCon 2025 · Day 1 · Main
Jael Koh, a researcher at PixiePoint Security, discovered two Use-After-Free vulnerabilities in the Windows Kernel Transaction Manager (KTM) driver within three weeks of focused investigation — targeting two previously undocumented kernel object types identified only as "cookie five" and "cookie six." Both vulnerabilities were patched by Microsoft in the October 2024 Patch Tuesday update as CVE-2024-43570 and CVE-2024-43535. The talk, co-presented with Cedric Halbronn of eSec Lab, walks through the discovery methodology and the exploitation challenges specific to Windows 11. ---
AI review
This is exactly what OffensiveCon should look like — a solo researcher with a systematic methodology who found two UAF vulnerabilities in completely undocumented Windows kernel object types that nobody had touched in six years of in-the-wild KTM exploitation. Two CVEs, honest failure accounting, real exploitation detail against Windows 11's hardened heap. Accept immediately.