What Is Win32k.sys?
Win32k.sys is the Windows kernel-mode driver that implements the Win32 user interface subsystem — including GDI (Graphics Device Interface) graphics rendering, window management, and the USER component handling desktop windows and user input. Running in kernel mode (ring 0) with unrestricted system access, Win32k exposes thousands of system call entry points accessible from user-space applications. Historically, Win32k has been the most prolific source of Windows privilege escalation vulnerabilities, providing a massive kernel-mode attack surface reachable from any user-space process.
Overview
CVE-2016-0165 is a privilege escalation vulnerability in the Windows Win32k kernel-mode graphics driver that allows a local attacker to gain SYSTEM-level privileges via a specially crafted application. The vulnerability is addressed in MS16-039 (April 12, 2016), which also addressed CVE-2016-0167, CVE-2016-0145, and other Win32k LPE issues in the same update. CISA added CVE-2016-0165 to the KEV catalog in June 2023 — over seven years after the patch — confirming sustained exploitation against legacy Windows deployments.
Affected Versions
| Windows | Status |
|---|---|
| Windows Vista SP2 | Vulnerable |
| Windows Server 2008 SP2 / R2 SP1 | Vulnerable |
| Windows 7 SP1 | Vulnerable |
| Windows 8.1 | Vulnerable |
| Windows Server 2012 / 2012 R2 | Vulnerable |
| Windows RT 8.1 | Vulnerable |
| Windows 10 | Vulnerable (pre-patch) |
Fixed in MS16-039 (April 2016 Patch Tuesday).
Technical Details
Root Cause: Win32k Kernel Driver Privilege Escalation
CVE-2016-0165 involves an unspecified privilege escalation flaw in Win32k's graphics processing code. Win32k LPE vulnerabilities typically fall into these categories:
- Pool overflow — writing beyond a kernel pool allocation, corrupting adjacent kernel objects
- Use-after-free — using a freed kernel object through a stale pointer, enabling controlled kernel memory write
- Null pointer dereference with mapping — exploiting a null dereference by mapping the null page with controlled data
- Race condition — a time-of-check to time-of-use (TOCTOU) race in object reference counting
Regardless of the specific technical class, Win32k LPE exploitation follows a consistent pattern:
- Trigger the vulnerability via Win32 API calls from user-space
- Corrupt a kernel pool object to gain a write primitive
- Overwrite an EPROCESS token — the security token of the attacking process's kernel structure
- Achieve SYSTEM — the process token is replaced with the SYSTEM token, granting full system access
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local — Win32 API calls from user-space process |
| Privileges Required | None (standard user context) |
| User Interaction | Required (run crafted application) |
| Impact | SYSTEM-level privilege escalation |
| Target | Win32k.sys kernel-mode graphics driver |
Discovery
Reported to Microsoft and patched in MS16-039 (April 2016 Patch Tuesday). CVE-2016-0165 was patched in the same bulletin as CVE-2016-0167 — both Win32k LPEs that were confirmed as actively exploited.
Exploitation Context
- Win32k LPE class: CVE-2016-0165 is part of a long series of Win32k privilege escalation vulnerabilities patched throughout 2014–2019; attackers maintained a portfolio of Win32k LPEs and used them interchangeably depending on target patch level, rotating to newer CVEs as older ones were patched
- Long exploitation tail: CISA's June 2023 KEV addition — 7+ years after the patch — reflects that unpatched Windows installations (including Windows 7 systems running past their January 2020 EOL date) remain exploitation targets; attackers specifically seek Win32k LPEs for these legacy systems
- Paired with CVE-2016-0167: CVE-2016-0165 and CVE-2016-0167 were patched in the same MS16-039 bulletin, suggesting both were discovered or reported in close proximity, possibly as alternative exploitation paths for Win32k vulnerabilities
- CISA KEV (2023): Added June 2023
Remediation
-
Apply MS16-039 (April 2016). Any Windows system current with Windows Update after April 2016 includes this fix.
-
Upgrade end-of-life Windows — Windows 7 and Server 2008 are past EOL and cannot receive further security updates. Upgrade to Windows 10/11 or Server 2019/2022.
-
Enable Virtualization Based Security (VBS) / HVCI — Hypervisor-Protected Code Integrity isolates kernel code integrity verification, significantly raising the bar for Win32k exploitation on Windows 10 and later.
-
Win32k lockdown — Windows 10 Anniversary Update and later include Win32k API lockdown for processes that opt in, reducing the Win32k attack surface for high-value processes like browsers.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2016-0165 |
| Vendor / Product | Microsoft — Win32k |
| NVD Published | 2016-04-12 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-264 — Permissions, Privileges, and Access Controls find similar ↗ |
| CISA KEV Added | 2023-06-22 |
| CISA KEV Deadline | 2023-07-13 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2016-04-12 | Microsoft Security Bulletin MS16-039 released; CVE-2016-0165 patched (April 2016 Patch Tuesday) |
| 2016-04-12 | CVE-2016-0165 published by NVD |
| 2023-06-22 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2023-07-13 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2016-0165 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS16-039 — Security Update for Microsoft Graphics Component | Vendor Advisory |