Cyber Resilience

CVE-2021-40450

HighCISA KEVActive ExploitationEUVD Exploited

Published: 13 October 2021

Published
13 October 2021
Modified
30 October 2025
KEV Added
25 April 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0413 88.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-40450 is a high-severity an unspecified weakness vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-40450 is a Win32k elevation of privilege vulnerability affecting the Win32k component in Windows. It carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, low privileges required, and no user interaction, with high impact on confidentiality, integrity, and availability.

An attacker with existing local access and limited privileges can exploit the flaw to elevate rights on the target system, potentially obtaining full administrative control.

Microsoft has published security guidance for the issue via its advisory portal, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

Win32k Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
25 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1809
≤ 10.0.17763.2237
microsoft
windows 10 1909
≤ 10.0.18363.1854
microsoft
windows 10 2004
≤ 10.0.19041.1288
microsoft
windows 10 20h2
≤ 10.0.19042.1288
microsoft
windows 10 21h1
≤ 10.0.19043.1288
microsoft
windows 11 21h2
≤ 10.0.22000.258
microsoft
windows server 2004
≤ 10.0.19041.1288
microsoft
windows server 2019
≤ 10.0.17763.2237
microsoft
windows server 2022
≤ 10.0.20348.288
microsoft
windows server 20h2
≤ 10.0.19042.1288

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the Win32k EoP flaw.

prevent

Enforces least-privilege boundaries so a locally authenticated low-privileged user cannot reach the vulnerable Win32k code path with sufficient rights to escalate.

prevent

Requires the operating system to enforce access-control decisions on kernel objects; the CVE is an implementation failure of that enforcement inside Win32k.

References