Cyber Resilience

CVE-2021-40449

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 13 October 2021

Published
13 October 2021
Modified
30 October 2025
KEV Added
17 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9151 99.7th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-40449 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-40449 is a use-after-free vulnerability, tracked under CWE-416, in the Win32k component of Windows that results in an elevation of privilege. The flaw carries a CVSS 3.1 score of 7.8 and allows an attacker to corrupt memory within the kernel-mode graphics driver.

A local attacker with a low-privileged account can trigger the flaw through calls to NtGdiResetDC, obtaining code execution in the kernel and thereby achieving full control over the affected system, including arbitrary read/write access to kernel memory.

Microsoft's security advisory and the CISA Known Exploited Vulnerabilities catalog both list the issue, indicating that official patches are available through the standard Windows update channels and that the vulnerability has been observed in active exploitation.

Public exploit code demonstrating the local privilege-escalation path has been published on Packet Storm.

EU & UK References

Vulnerability details

Win32k Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
17 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19086
microsoft
windows 10 1607
≤ 10.0.14393.4704
microsoft
windows 10 1809
≤ 10.0.17763.2237
microsoft
windows 10 1909
≤ 10.0.18363.1854
microsoft
windows 10 2004
≤ 10.0.19041.1288
microsoft
windows 10 20h2
≤ 10.0.19041.1288
microsoft
windows 10 21h1
≤ 10.0.19041.1288
microsoft
windows 11
all versions
microsoft
windows 11 21h2
≤ 10.0.22000.258
microsoft
windows 7
all versions
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the use-after-free flaw in Win32k.

prevent

Enforces least-privilege boundaries so a low-privileged account cannot reach NtGdiResetDC paths that corrupt kernel memory.

prevent

Implements memory protections that block the unauthorized read/write and code execution resulting from the use-after-free condition.

References