Zero-day vulnerability in Windows


A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a previously unknown remote access trojan (RAT).

The attacks were noticed in late August and September 2021

Known malware:


Vulnerability details

Advisory: SB2021101211 - Privilege escalation in Microsoft Windows kernel

Vulnerable component: Windows

CVE-ID: CVE-2021-40449

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-416 - Use After Free


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the Win32k NtGdiResetDC function in Microsoft Windows kernel. A local user can run a specially crafted program to trigger a use-after-free error, when the function ResetDC is executed a second time for the same handle during execution of its own callback, and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.