This means the listening socket was created using SOCK_RAW as opposed to SOCK_STREAM or SOCK_DGRAM. Raw sockets are used for working with ICMP, doing packet sniffing, sending some types of custom TCP packets, etc. Basically anything that isn't UDP or TCP, you'll need a raw socket for.

Historically programs like `ping` and `traceroute` use raw sockets. Using raw sockets requires privilege, which is why those historically have been set-uid on Unix systems.

Indeed. Windows requires elevation for raw sockets as well. The ping binary works without elevation by using the IP Helper Win32 API's ICMP functions: https://learn.microsoft.com/en-us/windows/win32/api/icmpapi/...

So is this a vulnerability in specific raw sockets applications (i.e., you could get it right in the application), or a vulnerability in the Windows kernel's TCP/IP stack that is only exploitable when there is a raw sockets application running?

Raw is a protocol type in the socket api allowing the application to send and receive arbitrary packets (e.g. not packets generated by the system's TCP implementation).

The sockets API is a Windows API, and Wireshark does not use it. Instead it uses Npcap, a custom kernel driver.

A raw socket allows creation/consumption of bespoke packet types (i.e. not Tcp/Udp). In this case ICMP.