CVE-2021-31955

What is Windows Kernel KASLR?

Windows Kernel Address Space Layout Randomization (KASLR) randomizes the base addresses of the kernel image and kernel data structures in memory at boot. This forces attackers who want to exploit memory corruption vulnerabilities (such as buffer overflows or use-after-free in the kernel) to first discover where kernel objects reside in memory — since an exploit that writes to a hardcoded address will fail or crash the system when KASLR shifts the layout. Kernel information disclosure vulnerabilities that leak precise kernel object addresses are a prerequisite for reliable exploitation of kernel memory corruption: without knowing where to write, a kernel heap overflow becomes a crash rather than a controlled privilege escalation. CVE-2021-31955 is specifically this type of information leak — it reads kernel memory contents (including pointers to kernel objects) from a low-privilege user-mode process.

Overview

CVE-2021-31955 is a Windows Kernel information disclosure zero-day that allows a low-privilege process to read kernel memory contents, specifically leaking kernel object addresses used to defeat KASLR. It was discovered by Kaspersky as part of the PuzzleMaker exploit chain — a sophisticated attack framework that combined a Chrome V8 zero-day (CVE-2021-21224) for initial code execution with two Windows kernel zero-days (CVE-2021-31955 for KASLR defeat and CVE-2021-31956 for NTFS heap overflow privilege escalation) to achieve a complete browser-to-SYSTEM compromise. All three were patched in Microsoft's June 2021 Patch Tuesday. CISA added CVE-2021-31955 to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Windows Kernel information disclosure — a kernel system call or API path (not fully documented publicly) allows a low-privilege user-mode process to read kernel object addresses or kernel memory contents, defeating KASLR; the CVSS C:H reflects that kernel memory contents include security-sensitive addresses enabling follow-on attacks
• KASLR defeat role: The primary value of CVE-2021-31955 is not the information disclosure itself but what it enables — by leaking precise kernel object addresses, a low-privilege attacker can calculate the kernel's load offset and reliably target kernel heap objects for a subsequent memory corruption exploit (CVE-2021-31956 in the PuzzleMaker chain)
• PuzzleMaker chain: Kaspersky documented the full chain: (1) Chrome V8 type confusion CVE-2021-21224 for renderer code execution, (2) Chrome sandbox escape (using the V8 exploit to escape the renderer sandbox), (3) CVE-2021-31955 kernel info leak to defeat KASLR, (4) CVE-2021-31956 NTFS heap buffer overflow for SYSTEM privilege
• AV:L/AC:L/PR:L: Exploitable locally by any low-privilege process with no special conditions — in the PuzzleMaker chain, this step executes in the context of the Chrome renderer after the V8 exploit provides code execution within the browser sandbox, or as a standalone local escalation step
• No kernel modification: The disclosure itself does not alter kernel state (I:N, A:N), making it a "clean" reconnaissance step that does not crash the system or leave obvious artifacts compared to a direct exploit attempt

Discovery

Discovered by Kaspersky's Secure Technologies research team during investigation of a targeted attack campaign they named PuzzleMaker. The simultaneous discovery of CVE-2021-31955 and CVE-2021-31956 (two complementary Windows kernel zero-days used together) alongside Chrome CVE-2021-21224 indicates Kaspersky observed a complete, deployed exploit chain in active attacks. Microsoft confirmed in-the-wild exploitation in the June 2021 advisory.

Exploitation Context

CVE-2021-31955 is a support vulnerability — its value is in enabling other attacks. Alone, it gives an attacker kernel memory addresses; combined with CVE-2021-31956, it provides a reliable SYSTEM escalation path from any code execution context. In the PuzzleMaker campaign documented by Kaspersky, the exploit chain enabled persistent access to targeted Windows systems — consistent with targeted espionage operations. The June 2021 Patch Tuesday addressing multiple Windows kernel zero-days simultaneously (including CVE-2021-31199/31201 in the cryptographic provider) reflects an active threat actor ecosystem that had accumulated several Windows LPE capabilities being used in concurrent campaigns.

Remediation

1. Apply June 2021 Patch Tuesday cumulative updates — patches CVE-2021-31955 (info disclosure) and CVE-2021-31956 (NTFS RCE) together, disabling the PuzzleMaker chain
2. Keep Windows fully updated via Windows Update or WSUS
3. Deploy Chrome/Edge/Chromium browser updates (Chrome 90+ patches CVE-2021-21224 which is the initial entry point for the browser-based PuzzleMaker variant)
4. Enable Windows Defender Exploit Guard and Attack Surface Reduction rules to limit the impact of browser-based exploit chains
5. Use HVCI (Hypervisor-Protected Code Integrity) which provides additional kernel memory integrity guarantees against kernel-level privilege escalation exploits
6. Monitor for unexpected SYSTEM-level process creation originating from browser child processes, which would indicate a browser-to-kernel escalation chain