CVE-2021-28310

What is Windows Win32k?

Win32k.sys is the Windows kernel-mode driver that implements the Win32 subsystem — the core of the Windows graphical user interface. It manages windows, menus, dialog boxes, rendering, and user input (keyboard and mouse) for all Windows applications. Win32k runs in kernel mode and processes requests from all GUI applications through system calls. Its complex graphics handling code is a historically rich source of privilege escalation vulnerabilities: out-of-bounds writes, type confusion, and use-after-free bugs in Win32k allow low-privileged processes to corrupt kernel memory and escalate to SYSTEM. Win32k LPE zero-days are among the most commonly deployed kernel escalation tools in advanced persistent threat (APT) campaigns against Windows.

Overview

CVE-2021-28310 is an out-of-bounds write vulnerability (CWE-787) in the Windows Win32k kernel driver. A low-privileged local user can trigger the OOB write to corrupt kernel memory and escalate to SYSTEM privileges. Microsoft patched this in April 2021 Patch Tuesday as a zero-day actively exploited in the wild. Kaspersky Research discovered the vulnerability and identified it as being exploited by the BITTER APT threat actor — a South Asian threat group — in targeted attacks. CISA added it to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in Win32k's DirectComposition or graphics handling code — a Win32k kernel function writes beyond the bounds of an allocated kernel buffer when processing crafted graphics or window management operations; the OOB write corrupts adjacent kernel memory structures
• SYSTEM escalation: Exploiting the kernel heap/pool corruption from the OOB write allows the attacker to overwrite security-critical kernel structures and execute code with SYSTEM privileges — bypassing all user-mode security boundaries
• Kaspersky discovery: Kaspersky Exploit Prevention technology detected the exploit in the wild and reported it to Microsoft before the April 2021 patch; Kaspersky attributed the exploitation to the BITTER APT (also known as T-APT-17), a threat actor with South Asian nexus targeting government and defense organizations
• APT exploit chain use: BITTER APT used CVE-2021-28310 as a kernel privilege escalation component following initial access via phishing or other delivery mechanisms, converting a limited foothold into full SYSTEM access for espionage operations
• Win32k pattern: Multiple Win32k LPE zero-days were discovered and exploited in 2021 (including CVE-2021-40449 MysterySnail used by IronHusky) — reflecting ongoing investment by APT actors in Win32k kernel vulnerabilities

Discovery

Discovered by Kaspersky Research through their Exploit Prevention system — a behavioral detection capability that identifies zero-day exploit usage in the wild based on exploit behavior patterns rather than signatures. The April 2021 Patch Tuesday patch credit to Kaspersky confirms Kaspersky's responsible disclosure prior to the patch.

Exploitation Context

CVE-2021-28310 is part of a pattern of Win32k LPE zero-days discovered being used by APT actors in 2021. State-sponsored threat groups maintain inventories of Windows kernel privilege escalation exploits for use in targeted campaigns, replacing discovered exploits with new ones as patches are released. The BITTER APT's use of this zero-day reflects the group's access to high-quality exploit capabilities — either through internal development or via commercial exploit vendors. The November 2021 CISA KEV addition confirms ongoing exploitation of systems that had not applied the April 2021 patch.

Remediation

1. Apply April 2021 Patch Tuesday updates — patches CVE-2021-28310 in Win32k across all affected Windows versions
2. Verify patch installation: systeminfo | findstr KB and confirm the April 2021 KB is present on all managed systems
3. Implement principle of least privilege to limit the impact of post-exploitation escalation: domain accounts should not have local admin rights on workstations by default
4. Deploy EDR with kernel exploit detection capabilities — Win32k OOB write exploits produce characteristic system call patterns detectable by behavioral EDR
5. Enable Windows Defender Exploit Guard — SmartScreen and ASR rules can block initial delivery mechanisms (phishing documents) that precede Win32k exploitation
6. Ensure subsequent Patch Tuesday updates are also applied — Win32k is actively exploited and multiple CVEs were patched throughout 2021