Cyber Resilience

CVE-2016-3309

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 09 August 2016

Published
09 August 2016
Modified
22 April 2026
KEV Added
15 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4324 97.6th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-3309 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

The vulnerability is an elevation of privilege flaw in the kernel-mode drivers of the Win32k component, tracked as CVE-2016-3309. It affects Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607. The issue permits local users to gain elevated privileges through a specially crafted application and is distinct from the related Win32k issues CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311. It carries a CVSS 3.1 base score of 7.8 reflecting local access with high impact on confidentiality, integrity, and availability.

An attacker with the ability to run a crafted application on an affected system can exploit the flaw to elevate privileges, potentially obtaining administrative control over the target host. The attack requires local access and does not need user interaction beyond execution of the malicious code.

Microsoft addressed the vulnerability in security bulletin MS16-098, which provides patches for the listed Windows versions. Administrators are advised to apply the updates to eliminate the exposure.

Public exploit code for the issue has been published, increasing the likelihood of in-the-wild use by attackers with existing local access.

EU & UK References

Vulnerability details

The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to…

more

gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.

CWE(s)
KEV Date Added
15 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1511
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches such as MS16-098 that eliminate the Win32k EoP flaw.

prevent

Enforces least-privilege execution so a local user who triggers the crafted application cannot obtain administrative rights.

prevent

Requires the system to enforce access-control decisions that the vulnerable Win32k kernel driver is failing to uphold.

References