CVE-2021-40450

What is Windows Win32k?

Win32k.sys is a core Windows kernel-mode driver that implements the Windows GUI subsystem — the kernel-mode portion of the Windows windowing system, including window management, graphics device interface (GDI), and user interface components. Because Win32k runs in kernel mode and provides extensive interfaces to user-mode applications for rendering graphics and managing windows, it has historically been one of the most exploited Windows subsystems for local privilege escalation. Vulnerabilities in Win32k allow attackers to corrupt kernel memory and achieve SYSTEM-level code execution, converting any low-privileged local code execution into full OS control.

Overview

CVE-2021-40450 is a local privilege escalation vulnerability in the Windows Win32k kernel driver, patched in October 2021 Patch Tuesday alongside CVE-2021-40449 (the MysterySnail zero-day) and CVE-2021-41357. While CVE-2021-40449 was confirmed as an actively exploited zero-day at patch time, CVE-2021-40450 was added to CISA KEV in April 2022 — six months later — reflecting confirmed exploitation in the wild after the patch was available. A low-privileged local user or process can exploit this vulnerability to escalate to SYSTEM privileges on the affected Windows system.

Affected Versions

Technical Details

• Root cause: An unspecified vulnerability in the Win32k kernel driver that allows privilege escalation — Microsoft's advisory does not detail the specific memory corruption type, but Win32k escalations typically involve use-after-free, type confusion, or out-of-bounds write primitives in the kernel GDI/user subsystem
• Attack vector: Local (AV:L) with low privileges (PR:L) — the attacker needs code execution in a standard user context before exploiting this vulnerability to reach SYSTEM
• Post-exploitation utility: SYSTEM access enables disabling security products, dumping LSASS credentials, adding persistence mechanisms, and lateral movement across the Windows environment
• No user interaction: The escalation operates silently from a running low-privileged process; no additional user action is needed
• October 2021 Win32k cluster: Patched alongside CVE-2021-40449 (zero-day, MysterySnail) and CVE-2021-41357 — multiple Win32k vulnerabilities in a single Patch Tuesday indicates active research focus on this attack surface

Discovery

Identified and reported to Microsoft. The April 2022 CISA KEV addition (six months after the October 2021 patch) confirms active exploitation in post-compromise attack chains after the patch was available — consistent with attackers having developed working exploits and deploying them against unpatched systems.

Exploitation Context

Win32k privilege escalation vulnerabilities are a staple of post-compromise attack chains on Windows. After gaining initial access via phishing, web exploitation, or other means, attackers with limited user privileges use Win32k exploits to reach SYSTEM — the necessary level for disabling endpoint detection, dumping credentials with LSASS access, and establishing persistent backdoors. The six-month gap between patch and KEV addition reflects the pattern of attackers developing exploits for known-but-unpatched vulnerabilities in enterprise environments with slow patching cadences.

Remediation

1. Apply October 2021 cumulative update for your Windows version via Windows Update
2. Prioritize patch application on systems where privilege escalation is most consequential: domain controllers, file servers, developer workstations, and systems handling sensitive data
3. Enable Windows Update automatic updates to ensure monthly security patches are applied promptly
4. Consider deploying Windows Defender Credential Guard to protect LSASS credentials even if SYSTEM is achieved
5. Monitor for unexpected SYSTEM-level process spawning from low-privileged parent processes as an indicator of LPE exploitation