What is Windows Win32k?
Win32k.sys is a core Windows kernel-mode driver that implements the Windows GUI subsystem — the kernel-mode portion of the Windows windowing system, including window management, graphics device interface (GDI), and user interface components. Because Win32k runs in kernel mode and provides extensive interfaces to user-mode applications for rendering graphics and managing windows, it has historically been one of the most exploited Windows subsystems for local privilege escalation. Use-after-free vulnerabilities in Win32k allow attackers to corrupt kernel memory and achieve SYSTEM-level code execution, converting any low-privileged local access into full operating system control.
Overview
CVE-2021-40449 is a use-after-free vulnerability (CWE-416) in the Windows Win32k kernel driver, actively exploited as a zero-day by the Chinese APT group IronHusky (also tracked as MysterySnail). Kaspersky researchers Boris Larin and Costin Raiu discovered the exploitation during incident response and reported the zero-day to Microsoft, who patched it in October 2021 Patch Tuesday. The malware deployed via this exploit chain was named "MysterySnail" — a remote access trojan (RAT) with extensive C2 capabilities used against IT companies and military/defense contractors in targeted espionage campaigns.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 7 SP1 through Windows 11 | Yes | October 2021 cumulative update |
| Windows Server 2008 R2 through Windows Server 2022 | Yes | October 2021 cumulative update |
Technical Details
- Root cause: Use-after-free (CWE-416) in the Win32k kernel driver — a kernel object is freed while a reference to it remains accessible, allowing an attacker to later control the freed memory and corrupt kernel data structures
- Attack vector: Local (AV:L) with low privileges (PR:L) — the attacker must have code execution in a low-privileged user session. The exploit is typically delivered after initial access via phishing or a renderer exploit
- Privilege escalation target: SYSTEM — the exploit converts low-privileged user execution to NT AUTHORITY\SYSTEM (full OS control), enabling credential dumping, security product disabling, and lateral movement
- No user interaction: The privilege escalation operates silently after the attacker has code execution; no user action is required
- Post-exploitation use: After achieving SYSTEM, IronHusky deployed the MysterySnail RAT for persistent access, C2 communication, and lateral movement throughout target networks
Discovery
Discovered by Kaspersky researchers Boris Larin and Costin Raiu during investigation of targeted attacks against IT companies and military/defense contractors. Kaspersky reported the zero-day to Microsoft and published the MysterySnail research on the same day as the October 2021 Patch Tuesday patch. IronHusky is a Chinese-linked APT group that has been active since at least 2012, focusing on espionage against government, military, IT, and telecom sectors.
Exploitation Context
CVE-2021-40449 was part of an espionage campaign targeting IT companies and military/defense organizations. The attack chain: phishing or other initial access → code execution in user context → Win32k zero-day for SYSTEM escalation → MysterySnail RAT deployment for persistent access. IronHusky had been tracking the group targeting Russian and Mongolian organizations. The zero-day was in active use when discovered, and the CISA KEV addition (November 17, 2021) reflects continued post-patch exploitation against organizations slow to apply the October 2021 cumulative update. The ransomwareUse flag reflects post-patch adoption by ransomware operators who incorporated this Win32k escalation technique.
Remediation
- Apply October 2021 cumulative update for your Windows version via Windows Update (KB5006670 for Windows 10 20H2/21H1 or equivalent)
- Enable Windows Update automatic updates to ensure monthly patches are applied promptly
- Deploy Microsoft Defender for Endpoint with behavioral detection for Win32k exploitation patterns
- Implement least-privilege user accounts — running with standard user rights limits the utility of LPE exploits in post-compromise scenarios by requiring attackers to first obtain code execution before escalating
- Enable Exploit Protection in Windows Security settings for additional kernel exploit mitigations
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-40449 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2021-10-13 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2021-11-17 |
| CISA KEV Deadline | 2021-12-01 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-10-12 | Microsoft patches CVE-2021-40449 in October 2021 Patch Tuesday as a zero-day actively exploited in the wild |
| 2021-10-12 | Kaspersky detects exploitation by IronHusky (MysterySnail) APT; reports zero-day to Microsoft |
| 2021-10-13 | CVE published |
| 2021-10-13 | Kaspersky publishes MysterySnail research, naming the Win32k zero-day and the associated RAT |
| 2021-11-17 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-12-01 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-40449 | Vendor Advisory |
| Kaspersky — MysterySnail Attacks with Windows Zero-Day | Security Research |
| NVD — CVE-2021-40449 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |