CVE-2016-7255

What Is Win32k?

Win32k.sys is the Windows kernel-mode driver that implements the Win32 subsystem's core graphics and window management functionality. It handles the Windows GUI — window creation, message processing, GDI drawing, font handling, and the kernel-mode side of the USER32 and GDI32 APIs. Because Win32k runs in the Windows kernel, any code execution or memory corruption vulnerability in Win32k gives an attacker immediate kernel-level privilege. Win32k has been one of the most frequently exploited components in Windows privilege escalation history: its large, complex attack surface is accessible from unprivileged user processes through standard Windows API calls, making it ideal for privilege escalation from a sandboxed or limited process.

Overview

CVE-2016-7255 is a use-after-free vulnerability in the Windows kernel-mode driver Win32k.sys that allows an attacker to escalate privileges to SYSTEM. Google Project Zero discovered this vulnerability being actively exploited as a zero-day by APT28 (Fancy Bear) — the Russian state-sponsored threat actor — in targeted attacks in October 2016. APT28 chained CVE-2016-7255 with a Chrome browser vulnerability to escape the Chrome sandbox and achieve full OS-level code execution. Google disclosed the zero-day publicly after just 7 days (its accelerated policy for actively exploited vulnerabilities), prompting Microsoft criticism but also accelerating patch development. Microsoft patched it in MS16-135 (November 8, 2016). CISA added CVE-2016-7255 to the KEV catalog in November 2021.

Affected Versions

Technical Details

Root Cause: Win32k Use-After-Free

CVE-2016-7255 is a use-after-free (CWE-416) in Win32k.sys. The Win32k kernel driver manages GUI objects — windows, menus, cursors, bitmaps — in kernel memory. When these objects are destroyed, Win32k frees the associated kernel memory. A use-after-free occurs when Win32k retains a pointer to kernel memory after freeing it; subsequent access to this freed memory through the stale pointer can be exploited to read kernel data or corrupt kernel state.

Exploitation via Win32k:

• Win32k API calls are accessible from any user-mode process via standard Windows API calls (CreateWindow, SetWindowPos, SendMessage, etc.)
• A sandboxed process (e.g., inside Chrome's renderer sandbox) can still make Win32k syscalls — the sandbox allows a limited set of kernel calls, and Win32k was in scope
• The use-after-free can be triggered from a sandboxed process by making specific sequences of Win32k API calls that cause the kernel driver to access freed memory
• Kernel UAF at a controlled location provides a path to overwriting kernel structures (e.g., process token) to escalate privilege to SYSTEM

APT28 Zero-Day Exploitation Chain

Google Project Zero identified CVE-2016-7255 being used in a two-stage attack chain by APT28:

1. Stage 1 — Chrome browser vulnerability (separate CVE): exploiting a Chrome rendering vulnerability to achieve code execution inside the Chrome renderer sandbox
2. Stage 2 — CVE-2016-7255 Win32k UAF: escaping the Chrome sandbox by exploiting the kernel-mode Win32k driver from inside the sandbox, escalating to SYSTEM

This two-stage chain is the canonical sophisticated Windows exploitation pattern: browser vulnerability for initial code execution, kernel LPE for sandbox escape and full system control.

Google's 7-Day Disclosure Policy

Google Project Zero's accelerated 7-day disclosure (vs. the standard 90-day policy) was applied because CVE-2016-7255 was confirmed being actively exploited:

• Google notified Microsoft on October 21, 2016
• Google published technical details on October 28, 2016 (7 days later)
• Microsoft patched on November 8, 2016 — 11 days after Google's public disclosure
• Microsoft publicly criticized Google's disclosure timeline; Google defended the accelerated policy as necessary to protect users in cases of active exploitation

Attack Characteristics

Discovery

Discovered by Google Project Zero through active threat hunting and analysis of attacks attributed to APT28 (Russian state-sponsored). Publicly disclosed October 28, 2016 under Google's accelerated 7-day disclosure policy for actively exploited vulnerabilities.

Exploitation Context

• APT28 nation-state zero-day: CVE-2016-7255 is notable as a confirmed Russian state-sponsored zero-day used against targets in the 2016 timeframe; APT28's use of a working Chrome + Win32k exploit chain demonstrated sophisticated operational capability in kernel exploitation
• Sandbox escape prerequisite: The primary value of CVE-2016-7255 in attack chains is as a sandbox escape — modern browsers like Chrome, Edge, and Firefox sandbox renderer processes that cannot access the full OS; Win32k LPEs break out of these sandboxes, turning a browser RCE into full OS compromise
• Win32k persistent attack surface: Win32k has been subject to dozens of high-severity LPE vulnerabilities over the years; its kernel-mode access and large API surface make it a recurring exploitation target; Microsoft has progressively reduced Win32k's accessibility from sandboxed processes as a mitigation
• CISA KEV (2021): Added November 2021, among the first batch of CISA KEV entries, reflecting high confidence in active exploitation

Remediation

1. Apply MS16-135 — install the November 2016 Windows security update via Windows Update, WSUS, or MECM. All subsequent Windows cumulative updates include this fix.

2. Keep Windows fully patched — apply all current Windows security updates; newer cumulative updates include all prior Win32k patches.

3. Enable Windows Defender Exploit Guard Win32k syscall filtering — Windows 10 Anniversary Update introduced Win32k system call filtering for Edge and other browsers; this reduces the Win32k attack surface accessible from sandboxed processes.

4. Deploy Chrome, Edge, and Firefox with up-to-date browser versions — both the Chrome sandbox vulnerability (chained with CVE-2016-7255 by APT28) and the Win32k LPE are patched; keeping browsers updated prevents the initial code execution stage.