CVE-2021-31166
Published: 11 May 2021
Summary
CVE-2021-31166 is a critical-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 2004. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2021-31166 is a remote code execution vulnerability in the HTTP Protocol Stack, tracked under CWE-416 for use-after-free conditions and carrying a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity that is low with no privileges or user interaction required.
An unauthenticated remote attacker can send specially crafted HTTP requests to trigger the flaw, resulting in arbitrary code execution that impacts confidentiality, integrity, and availability on the affected system.
Microsoft's security advisory at portal.msrc.microsoft.com and the CISA Known Exploited Vulnerabilities catalog both reference this issue, directing administrators to apply the corresponding security updates for mitigation.
The entry's presence in the CISA catalog confirms observed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-18079
Vulnerability details
HTTP Protocol Stack Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 06 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of security updates to remediate the HTTP Protocol Stack use-after-free flaw before remote exploitation succeeds.
Requires vulnerability scanning to identify unpatched instances of CVE-2021-31166 on systems exposing the HTTP stack.
Enables monitoring of network traffic and system behavior to detect crafted HTTP requests attempting to trigger the RCE flaw.