CVE-2021-31956

What is Windows NTFS?

NTFS (New Technology File System) is the primary file system for Windows, handling all file storage, metadata, permissions, and journaling for Windows system and data drives. The Windows kernel includes the NTFS driver (ntfs.sys) — a kernel-mode component running at the highest privilege level that processes file system operations. Integer underflow vulnerabilities in the NTFS kernel driver corrupt kernel memory during file system operations, providing attackers with kernel-level memory corruption primitives that can be exploited to escalate from a low-privileged user process to full SYSTEM privileges.

Overview

CVE-2021-31956 is an integer underflow (integer wraparound) vulnerability (CWE-191) in the Windows NTFS kernel driver that allows a low-privileged user to escalate to SYSTEM privileges. Microsoft patched this in June 2021 Patch Tuesday as a zero-day. Kaspersky Research subsequently identified that CVE-2021-31956 was used as the kernel privilege escalation component in the PuzzleMaker waterhole attack campaign — paired with a Chrome V8 zero-day (CVE-2021-21224) for a full browser-to-kernel exploit chain against targeted organizations. CISA added CVE-2021-31956 to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Integer underflow or wraparound (CWE-191) in the Windows NTFS kernel driver — an arithmetic operation on a size or index value produces a negative result that wraps around to a very large positive value; this incorrect value is used in a subsequent memory operation, causing the NTFS driver to read or write beyond the intended kernel buffer
• Kernel memory corruption: The integer underflow leads to heap buffer over-read or over-write in kernel space, providing the attacker with a memory corruption primitive exploitable to redirect kernel execution and achieve SYSTEM-level code execution
• PuzzleMaker chain: Kaspersky documented a sophisticated attack chain: (1) victim visits a compromised website delivering Chrome exploit CVE-2021-21224 (V8 RCE), achieving renderer code execution; (2) CVE-2021-31956 is used to escape the Chrome sandbox and escalate to SYSTEM on the host OS; (3) a dropper is installed with SYSTEM privileges for persistent access
• Zero-day at patch: Microsoft acknowledged exploitation in the wild at the time of the June 2021 Patch Tuesday — confirming the NTFS zero-day was weaponized before defenders could patch
• Waterhole targeting: PuzzleMaker's waterhole delivery (compromised websites visited by specific target communities) is characteristic of sophisticated threat actor operations targeting specific organizations or industries rather than broad criminal campaigns

Discovery

Identified and reported by Kaspersky Research as part of their analysis of the PuzzleMaker campaign — a waterhole attack operation that used a full exploit chain combining Chrome and Windows kernel zero-days. Kaspersky published the detailed PuzzleMaker analysis on June 11, 2021, three days after Microsoft's June Patch Tuesday fixed the NTFS vulnerability.

Exploitation Context

CVE-2021-31956 represents a kernel privilege escalation zero-day deployed by sophisticated threat actors in a complete drive-by browser exploit chain. The PuzzleMaker campaign's waterhole methodology — compromising websites visited by the target community — is a hallmark of targeted espionage operations seeking to compromise specific organizations without broadly exposing their exploit capabilities. The pairing of a Chrome renderer zero-day with a Windows kernel LPE zero-day demonstrates the operational sophistication: each stage is required to convert initial browser exploit into full OS compromise. The November 2021 CISA KEV addition reflects ongoing exploitation of the NTFS vulnerability against unpatched Windows systems after the June patch.

Remediation

1. Apply June 2021 Patch Tuesday updates — this addresses CVE-2021-31956 in the NTFS driver; check the Microsoft Update Catalog for the appropriate KB for your Windows version
2. Prioritize patching: internet-facing systems and workstations used by high-value individuals (executives, security personnel, system administrators) are most at risk from waterhole-style campaigns
3. Verify patch installation: systeminfo | findstr KB and confirm the June 2021 KB is listed
4. Implement browser-side protections alongside OS patching — PuzzleMaker used Chrome as its initial entry point: keep Chrome/Edge fully updated and enable Site Isolation
5. Use EDR solutions capable of detecting anomalous kernel driver memory access patterns — NTFS driver exploitation creates characteristic kernel heap allocation and access sequences detectable by modern EDR
6. Restrict user web browsing to known-good sites via web proxy and URL filtering to reduce waterhole attack exposure