What Is Windows CSRSS?
The Client-Server Run-time Subsystem (CSRSS) is one of the most fundamental Windows components — a critical system process (csrss.exe) that implements core Win32 user-mode APIs, console window management, and process/thread management. CSRSS runs as a protected SYSTEM process and is responsible for managing process and thread objects at the subsystem level, including handling process tokens that determine each process's security context and privileges.
Because CSRSS manages process security tokens and runs as SYSTEM, vulnerabilities in its token management code can allow unprivileged processes to manipulate their own security context — escalating from a limited user account to administrator or SYSTEM privileges.
Overview
CVE-2016-0151 is a Windows CSRSS security feature bypass vulnerability where CSRSS mismanages process tokens, allowing local users to gain elevated privileges via a crafted application. When a process makes specific API calls that trigger CSRSS's token management code, the subsystem fails to properly validate or restrict the operation, enabling an attacker to manipulate their process token — ultimately gaining elevated access. The vulnerability is classified as a security feature bypass because it circumvents the Windows process security boundary enforced by token integrity levels. Ransomware operators confirmed use. Patched in MS16-048 (April 12, 2016).
Affected Versions
| Windows | Status |
|---|---|
| Windows Vista SP2 | Vulnerable |
| Windows Server 2008 SP2 / R2 SP1 | Vulnerable |
| Windows 7 SP1 | Vulnerable |
| Windows 8.1 | Vulnerable |
| Windows Server 2012 / 2012 R2 | Vulnerable |
| Windows RT 8.1 | Vulnerable |
| Windows 10 | Vulnerable (pre-patch) |
Fixed in MS16-048 (April 2016 Patch Tuesday).
Technical Details
Root Cause: Process Token Mismanagement in CSRSS
CVE-2016-0151 involves improper access controls (CWE-264) in Windows CSRSS's handling of process tokens. Process tokens in Windows contain the security identity of a process — which user account it runs as, which groups it belongs to, and what privileges it holds. When CSRSS processes a specific request involving process token management, it fails to enforce proper restrictions, allowing a process running in a limited user context to obtain or modify a token with elevated privileges.
The security feature bypass classification indicates this vulnerability specifically circumvents a Windows security boundary — the process token integrity level system that is designed to prevent lower-integrity processes from manipulating higher-integrity processes.
Ransomware Use Pattern
The confirmed ransomware use follows the standard multi-stage attack chain:
- Initial compromise — phishing, exploit kit, or document macro delivers a ransomware dropper at user privilege
- CSRSS token bypass — CVE-2016-0151 elevates the dropper process to a higher-integrity context
- SYSTEM-level operations — with elevated privileges: terminate security processes, delete backup copies, encrypt all accessible files including system directories
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local — crafted application |
| User Interaction | Required (run crafted application) |
| Impact | Process token manipulation → privilege escalation |
| Ransomware | Confirmed use |
| Target Component | CSRSS (Client-Server Run-time Subsystem) |
Discovery
Reported to Microsoft and patched in MS16-048 (April 2016 Patch Tuesday).
Exploitation Context
- Ransomware privilege escalation: CVE-2016-0151 was used by ransomware operators in 2016 as a local privilege escalation component; together with CVE-2016-0099 (Secondary Logon) and CVE-2016-0167 (Win32k), these LPE vulnerabilities formed a pool of reliable escalation options used interchangeably in ransomware toolkits based on Windows version and patch level
- CSRSS as attack target: CSRSS has historically been a productive privilege escalation attack surface due to its SYSTEM-level process that processes requests from all user-space applications; multiple CSRSS LPE CVEs have appeared in CISA's KEV catalog
- CISA KEV (2022): Added March 2022
Remediation
-
Apply MS16-048 (April 2016). Any Windows system current with Windows Update after April 2016 includes this fix.
-
Upgrade end-of-life Windows — Windows 7, Server 2008, and earlier are past end-of-life. Upgrade to supported Windows versions that receive ongoing security updates.
-
Enable User Account Control (UAC) — UAC mitigates the impact of LPE vulnerabilities by requiring explicit elevation approval; ensure UAC is enabled and not bypassed by policy.
-
Least privilege operations — run day-to-day processes with standard user accounts rather than administrative accounts to limit pre-LPE access and reduce the value of successful exploitation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2016-0151 |
| Vendor / Product | Microsoft — Client-Server Run-time Subsystem (CSRSS) |
| NVD Published | 2016-04-12 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-264 — Permissions, Privileges, and Access Controls find similar ↗ |
| CISA KEV Added | 2022-03-28 |
| CISA KEV Deadline | 2022-04-18 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2016-04-12 | Microsoft Security Bulletin MS16-048 released; CVE-2016-0151 patched (April 2016 Patch Tuesday) |
| 2016-04-12 | CVE-2016-0151 published by NVD |
| 2022-03-28 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-18 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2016-0151 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS16-048 — Security Update for CSRSS | Vendor Advisory |