What is the Windows Kernel?
The Windows NT kernel is the core of the Windows operating system, managing hardware resources, memory, processes, and security enforcement for all running software. The kernel operates at the highest privilege level (ring 0) and enforces all security boundaries between processes, users, and the operating system itself. Memory safety vulnerabilities in the Windows kernel — buffer overflows, use-after-free bugs, type confusion — are among the most critical security issues on Windows because they allow low-privileged code to corrupt kernel memory and achieve SYSTEM-level code execution, bypassing all user-mode security controls including UAC, process isolation, and security software.
Overview
CVE-2021-31979 is a memory safety vulnerability (CWE-119) in the Windows kernel that allows a low-privileged local user to escalate to SYSTEM privileges. Microsoft patched this in July 2021 Patch Tuesday and acknowledged it as a zero-day — exploited before the patch was available. Kaspersky Research linked CVE-2021-31979 and the companion CVE-2021-33771 (also patched in the same July 2021 update) to the same threat actor cluster, indicating they were used together in a targeted campaign. CISA added both vulnerabilities to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (multiple versions) | Yes | July 2021 Patch Tuesday |
| Windows Server 2016 | Yes | July 2021 Patch Tuesday |
| Windows Server 2019 | Yes | July 2021 Patch Tuesday |
| Windows 7 SP1 / Server 2008 R2 | Yes | July 2021 Patch Tuesday |
Technical Details
- Root cause: Memory safety violation (CWE-119) in Windows kernel code — an improper memory operation (buffer overflow, invalid read/write, or bounds check failure) in a kernel component allows an attacker to corrupt kernel memory structures
- SYSTEM privilege escalation: Exploiting the kernel memory corruption achieves code execution in kernel context, providing SYSTEM privileges — the highest access level on Windows, unrestricted by UAC or process isolation
- Zero-day exploitation: Microsoft's July 2021 Patch Tuesday advisory explicitly acknowledged exploitation in the wild before the patch, confirming the vulnerability was weaponized and deployed in targeted attacks prior to disclosure
- Attack prerequisites: CVSS AV:L/PR:L/UI:N — requires a low-privileged local account and no user interaction; standard for post-compromise privilege escalation use cases
- Paired exploitation: Kaspersky identified that CVE-2021-31979 and CVE-2021-33771 were used by the same threat actor in the same attacks — both Windows kernel LPE bugs patched in July 2021 and both added to CISA KEV simultaneously in November 2021
Discovery
Discovered and reported as a zero-day — actively exploited before the July 2021 patch. Kaspersky Research analyzed the exploitation activity and linked this vulnerability to CVE-2021-33771 as a paired kernel escalation toolkit used in targeted attacks, suggesting a sophisticated threat actor with access to multiple simultaneous Windows kernel exploits.
Exploitation Context
Windows kernel zero-days that are exploited before the patch are characteristic of advanced threat actor operations — nation-state groups or commercial exploit vendors with the capability to discover and weaponize kernel vulnerabilities before they are reported. CVE-2021-31979 and CVE-2021-33771 being deployed together suggests a coordinated campaign with redundant kernel escalation options — if one exploit failed (due to OS version or build differences), the other would succeed. The November 2021 CISA KEV addition (four months after the patch) reflects ongoing exploitation against unpatched Windows systems after the patch became available.
Remediation
- Apply July 2021 Patch Tuesday updates — check the Microsoft Update Catalog for the appropriate KB for your Windows version
- Prioritize patching domain-joined systems and systems accessible via RDP or other remote access, where an attacker who gains initial access via remote services would benefit most from kernel LPE
- Implement principle of least privilege — minimize the number of accounts with local logon rights on critical servers; standard domain users should not have local logon access to servers
- Enable and configure Windows Defender Exploit Guard to detect exploitation behavior patterns
- Monitor for anomalous SYSTEM-level activity from user-mode processes — EDR solutions should flag unexpected privilege escalation from low-integrity processes
- Keep Windows fully updated: apply July 2021 and all subsequent Patch Tuesdays, as additional kernel LPE vulnerabilities have been patched in subsequent months
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-31979 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2021-07-14 |
| NVD Last Modified | 2025-10-29 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-119 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-07-13 | Microsoft patches CVE-2021-31979 in July 2021 Patch Tuesday — acknowledged as exploited in the wild (zero-day) |
| 2021-07-14 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Advisory — CVE-2021-31979 | Vendor Advisory |
| NVD — CVE-2021-31979 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |