CVE-2021-33739

What is Windows Desktop Window Manager (DWM)?

The Desktop Window Manager (DWM) is the Windows compositing window manager responsible for rendering all visual effects in the Windows desktop environment — window animations, glass effects, thumbnail previews, and hardware-accelerated desktop composition. DWM runs as a privileged Windows system process (dwm.exe) that manages the visual output of all other processes. As a component that handles rendering data from all running applications and interfaces with the graphics subsystem, DWM's code surface intersects with both user-mode application input and kernel-mode graphics drivers. Privilege escalation vulnerabilities in DWM's core library (dwmcore.dll) can allow low-privileged users to execute code in DWM's privileged context or otherwise elevate to SYSTEM through DWM's interaction with system resources.

Overview

CVE-2021-33739 is a privilege escalation vulnerability in the Windows Desktop Window Manager (DWM) Core Library with a CVSS score of 8.4 — notably higher than most Windows LPE bugs due to its PR:N (no privileges required) and UI:N (no user interaction) rating, meaning any local process can exploit it without authentication. Microsoft patched this in June 2021 Patch Tuesday as a zero-day. Kaspersky Research linked CVE-2021-33739 to the PuzzleMaker waterhole campaign, where it served as one of the Windows privilege escalation components alongside CVE-2021-31956 (NTFS) used in conjunction with a Chrome V8 zero-day to achieve complete host compromise. CISA added it to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Privilege escalation vulnerability in the DWM Core Library (dwmcore.dll) — the DWM process handles rendering operations that involve window management and graphics compositing; a flaw in this handling allows a process with no special privileges to trigger code execution in a more privileged context
• No privileges required (PR:N): Unlike most Windows LPE vulnerabilities that require at least a standard user account (PR:L), CVE-2021-33739 is exploitable without any privilege level — making it accessible to processes running in constrained contexts, including browser renderer processes operating in the Chrome sandbox
• Sandbox escape utility: The PR:N characteristic makes this particularly valuable as a sandbox escape in browser exploit chains — a sandboxed renderer process running with very limited rights can exploit CVE-2021-33739 to escape the sandbox without needing to interact with the user or acquire any local credentials
• SYSTEM privileges: Successful exploitation achieves full SYSTEM-level code execution — the highest privilege level on Windows
• PuzzleMaker chain role: In the Kaspersky-documented PuzzleMaker campaign, DWM escalation (CVE-2021-33739) and NTFS escalation (CVE-2021-31956) served as the Windows privilege escalation stage after Chrome renderer RCE (CVE-2021-21224) was achieved — converting sandboxed browser code execution into full OS control

Discovery

Identified and documented by Kaspersky Research as part of their PuzzleMaker campaign investigation. The June 2021 Patch Tuesday advisory acknowledged zero-day exploitation. Kaspersky's June 11, 2021 publication of the PuzzleMaker analysis detailed the complete exploit chain, including CVE-2021-33739's role as the DWM privilege escalation component.

Exploitation Context

CVE-2021-33739's combination of no-privilege-required local escalation and its role in the PuzzleMaker chain illustrates why DWM vulnerabilities are particularly valuable to exploit chain developers. A Chrome renderer exploit executing in a very restricted sandbox can immediately leverage CVE-2021-33739 to escape the sandbox without needing to steal credentials or interact with user-accessible system components. The PuzzleMaker campaign used this against targeted organizations via waterhole attacks — visiting specific websites frequented by targeted individuals triggered the complete chain. The November 2021 CISA KEV addition reflects that this vulnerability continued to see exploitation after the June patch, consistent with its value in post-exploitation toolkits and against unpatched systems.

Remediation

1. Apply June 2021 Patch Tuesday updates — addresses CVE-2021-33739 in DWM Core Library alongside CVE-2021-31956 (NTFS)
2. Both June 2021 LPE patches should be applied together — the PuzzleMaker campaign used multiple LPE options, and applying only one patch leaves the other exploitation path open
3. Keep Chrome and all browsers updated independently — PuzzleMaker's initial access was via Chrome zero-day; browser patching reduces the probability of reaching the kernel escalation stage
4. Implement application allow-listing or EDR monitoring to detect unexpected code execution in privileged Windows processes (dwm.exe, spoolsv.exe, wuauclt.exe, etc.)
5. Verify June 2021 Patch Tuesday installation: systeminfo | findstr KB and confirm the relevant KB is present on all Windows 10 and Server systems
6. Enforce principle of least privilege for all accounts — even though this vulnerability requires no elevated privileges, reducing the attacker's initial foothold (e.g., restricting which users can log into sensitive servers) reduces overall risk