What is the Windows NTVDM?
The Windows NT Virtual DOS Machine (NTVDM) is the Windows subsystem for running 16-bit MS-DOS and Windows 3.x applications on 32-bit x86 versions of Windows. NTVDM emulates a full x86 real-mode environment, including BIOS interrupt services, for legacy 16-bit programs. It was enabled by default on 32-bit Windows NT, 2000, XP, Vista, and 7 — though absent on 64-bit Windows editions (which don't support NTVDM at all). NTVDM runs in a special kernel-supported mode that bridges ring-3 user space and ring-0 kernel code for BIOS call emulation, creating a complex privilege boundary that proved exploitable.
Overview
CVE-2010-0232 is a high-severity local privilege escalation vulnerability (CVSS 7.8) in the Windows kernel when 16-bit application support (NTVDM) is enabled on 32-bit x86 systems. The kernel's BIOS call emulation code failed to properly validate certain BIOS calls from 16-bit applications, allowing a local low-privileged user to gain kernel-level privileges. The vulnerability was publicly disclosed before the patch, giving attackers advance notice. Microsoft patched it in MS10-015 (February 2010 Patch Tuesday). CISA added to KEV in March 2022.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 2000 SP4 (32-bit) | Affected | Apply MS10-015 |
| Windows XP SP2/SP3 (32-bit) | Affected | Apply MS10-015 |
| Windows Server 2003 SP2 (32-bit) | Affected | Apply MS10-015 |
| Windows Vista SP1/SP2 (32-bit) | Affected | Apply MS10-015 |
| Windows Server 2008 (32-bit) | Affected | Apply MS10-015 |
| Windows 7 (32-bit) | Affected | Apply MS10-015 |
Note: 64-bit Windows editions are not affected as they do not support NTVDM.
Technical Details
The vulnerability exists in the Windows kernel's handling of BIOS interrupt calls (INT instructions) issued by 16-bit code running within NTVDM. When a 16-bit application triggers a software interrupt (such as INT 0x10 for video services, INT 0x21 for DOS services, or other BIOS/DOS interrupt numbers), the Windows kernel intercepts the interrupt and emulates the corresponding BIOS service.
In the vulnerable code path, the kernel's exception handler for these BIOS call emulations improperly validated certain parameter values or processor state. An attacker could craft a 16-bit program that issued specific BIOS calls with carefully constructed parameters, causing the kernel exception handler to execute code with elevated privileges.
The exploitation path:
- Attacker has local code execution at a standard user privilege level
- Attacker runs a crafted 16-bit program (or injects code into an NTVDM session)
- The program issues specially crafted BIOS interrupt calls
- The kernel exception handler processes the call with insufficient validation
- Attacker achieves code execution in kernel mode, gaining SYSTEM privileges
Discovery
Publicly disclosed by security researchers (the vulnerability was posted to security mailing lists) before Microsoft released a patch — a zero-day disclosure. Microsoft issued Security Advisory 979682 on January 19, 2010, acknowledging the vulnerability and providing a workaround (disabling NTVDM) while the patch was prepared. The February 2010 Patch Tuesday release of MS10-015 addressed the issue.
Exploitation Context
NTVDM privilege escalation vulnerabilities are valuable as post-exploitation primitives:
- Ubiquitous on 32-bit Windows: NTVDM was enabled by default on all 32-bit Windows versions, making this vulnerability universally applicable on any 32-bit Windows system an attacker encountered.
- Second-stage LPE: Attackers using this vulnerability would typically already have code execution at a standard user level, using CVE-2010-0232 to escalate to SYSTEM for credential harvesting, persistence, or further lateral movement.
- Legacy 32-bit systems: The March 2022 KEV addition reflects continued use of 32-bit Windows XP and Server 2003 in embedded and industrial environments where 16-bit application support remains enabled.
- Workaround availability: Even without the patch, Microsoft's workaround (disabling the NTVDM subsystem via Group Policy or registry) was effective — a useful compensating control for systems that couldn't be patched immediately.
Remediation
- Apply MS10-015: Install the February 2010 Patch Tuesday cumulative update for affected Windows versions.
- Disable NTVDM (workaround): If the patch cannot be applied immediately, disable 16-bit application support via Group Policy (Computer Configuration > Administrative Templates > Windows Components > Application Compatibility > "Prevent access to 16-bit applications") or registry.
- Upgrade to 64-bit Windows: 64-bit Windows does not include NTVDM and is not affected by this class of vulnerability.
- Migrate off legacy Windows: Windows XP and Server 2003 are end-of-life. Upgrade to supported Windows versions.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2010-0232 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2010-01-21 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2022-03-03 |
| CISA KEV Deadline | 2022-03-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2010-01-19 | Vulnerability publicly disclosed before patch; Microsoft issued Security Advisory 979682 acknowledging the issue |
| 2010-01-21 | CVE-2010-0232 published |
| 2010-02-09 | Microsoft released Security Bulletin MS10-015 (February 2010 Patch Tuesday) patching the NTVDM kernel vulnerability |
| 2022-03-03 | CISA added to KEV — reflecting continued exploitation of legacy Windows systems with 16-bit support enabled |
| 2022-03-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2010-0232 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS10-015 | Vendor Advisory |