Search
On this page ▾
CVE-2015-2360 — Microsoft Win32k Privilege Escalation Vulnerability

CVE-2015-2360

Windows Win32k.sys — Kernel-Mode Driver Memory Corruption Enables Privilege Escalation; Patched MS15-061 (June 2015)
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Win32k.sys?

Win32k.sys is the Windows kernel-mode driver that implements the Win32 user interface subsystem — responsible for window management, GDI graphics rendering, and the USER component controlling all windowed application display. Running in kernel mode, Win32k has been historically one of the most prolific sources of Windows privilege escalation vulnerabilities due to its large system call interface accessible from user-space processes.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-2360 is a memory corruption vulnerability in Win32k.sys (the Windows kernel-mode driver) that allows local users or network-accessible processes to gain elevated privileges or cause a denial-of-service condition. Like CVE-2015-1701 (patched two months prior), this is a Win32k privilege escalation used in exploit chains — a browser or document RCE delivers code execution in a restricted context, then a Win32k LPE like CVE-2015-2360 escalates to SYSTEM. Patched in MS15-061 (June 9, 2015).

Affected Versions

Windows Status
Windows Vista SP2 Vulnerable
Windows Server 2008 SP2 / R2 SP1 Vulnerable
Windows 7 SP1 Vulnerable
Windows 8 / 8.1 Vulnerable
Windows Server 2012 / 2012 R2 Vulnerable
Windows RT / RT 8.1 Vulnerable

Fixed with MS15-061 (June 2015).

Technical Details

Root Cause: Win32k Memory Corruption

CVE-2015-2360 involves improper bounds checking or memory handling in Win32k.sys's processing of kernel objects — likely in the GDI subsystem, window callback handling, or graphics object lifecycle management. A user-mode process sends crafted input via Win32k system calls that causes kernel memory corruption, enabling privilege escalation.

Win32k privilege escalation vulnerabilities in this era commonly involved:

  • Use-after-free in window object callbacks — freed window objects being dereferenced during message dispatching
  • Buffer overflow in GDI path operations — size calculations that overflow when processing large or crafted graphics operations
  • Type confusion in kernel object handles — handles to one object type being processed as another, bypassing access checks

The end result is kernel code execution — full SYSTEM privilege from a user-level process.

Attack Characteristics

Attribute Detail
Attack Vector Local — requires code execution on the target
Role Privilege escalation (second stage in exploit chains)
Impact SYSTEM privilege escalation
Bulletin MS15-061 (June 2015)

Discovery

Reported to Microsoft and patched in MS15-061 (June 2015 Patch Tuesday), which addressed multiple Win32k privilege escalation vulnerabilities.

Exploitation Context

  • Exploit chain component: Win32k LPE vulnerabilities are used as second-stage privilege escalations after an initial browser or document RCE achieves limited code execution; CVE-2015-2360 gives full SYSTEM access from any user-level foothold
  • APT toolkit reuse: APT groups maintain collections of reliable LPE exploits and switch between them as patches are released; CVE-2015-2360 entered the toolkit rotation following its patch, used against unpatched targets
  • CISA KEV (2022): Added May 2022, reflecting continued exploitation against unpatched Windows systems

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS15-061 (June 2015). Any Windows system current with Windows Update after June 2015 includes this fix.

  2. Maintain current Windows patch levels — Microsoft patches Win32k vulnerabilities monthly; organizations running current updates are protected.

  3. Enable Virtualization Based Security (VBS) on modern Windows — VBS/HVCI raises the bar for kernel exploitation by protecting critical kernel code in a hypervisor-protected environment.

  4. Retire Internet Explorer — reducing the browser attack surface eliminates the most common first-stage RCE that leads to Win32k LPE exploitation.

Key Details

PropertyValue
CVE ID CVE-2015-2360
Vendor / Product Microsoft — Win32k
NVD Published2015-06-10
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2015-06-09Microsoft Security Bulletin MS15-061 released; CVE-2015-2360 patched
2015-06-10CVE-2015-2360 published by NVD
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-2360 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS15-061 — Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML