CVE-2021-41357

What is Windows Win32k?

Win32k.sys is a core Windows kernel-mode driver that implements the Windows GUI subsystem — the kernel-mode portion of the Windows windowing system, including window management, graphics device interface (GDI), and user interface components. Because Win32k runs in kernel mode and provides extensive interfaces to user-mode applications for rendering graphics and managing windows, it has historically been one of the most exploited Windows subsystems for local privilege escalation. Vulnerabilities in Win32k allow attackers to corrupt kernel memory and achieve SYSTEM-level code execution, converting any low-privileged local code execution into full OS control.

Overview

CVE-2021-41357 is a local privilege escalation vulnerability in the Windows Win32k kernel driver, patched in October 2021 Patch Tuesday — the same patch batch that fixed CVE-2021-40449 (the actively exploited MysterySnail zero-day) and CVE-2021-40450. CVE-2021-41357 was added to CISA KEV in April 2022, six months after the patch, along with CVE-2021-40450 — indicating both were used in confirmed post-patch exploitation campaigns. A local attacker with standard user privileges can exploit this vulnerability to escalate to SYSTEM on any affected Windows system.

Affected Versions

Technical Details

• Root cause: An unspecified vulnerability in the Win32k kernel driver enabling local privilege escalation — Win32k LPE bugs typically involve memory corruption (use-after-free, type confusion, or out-of-bounds write) in the kernel's windowing and GDI subsystems
• Attack vector: Local (AV:L) with low privileges (PR:L) — requires an attacker to already have code execution as a standard user before leveraging this escalation
• Escalation target: NT AUTHORITY\SYSTEM — unrestricted access to all local resources, enabling credential dumping, security product disabling, persistence, and lateral movement
• No user interaction: The escalation is silent and requires no additional interaction once the exploit is triggered from a running process
• October 2021 Win32k cluster: Three Win32k vulnerabilities were patched in October 2021 (CVE-2021-40449, CVE-2021-40450, CVE-2021-41357), suggesting coordinated Microsoft patching of multiple bugs found in the same code area — two were later exploited in the wild (40450 and 41357 per CISA KEV April 2022)

Discovery

Reported to Microsoft during coordinated vulnerability research. The simultaneous CISA KEV addition of CVE-2021-40450 and CVE-2021-41357 in April 2022 suggests both were integrated into similar post-compromise toolkits deployed against enterprise targets.

Exploitation Context

Win32k privilege escalation is a standard component in sophisticated Windows attack chains. After gaining initial access through phishing, exploitation of internet-facing services, or lateral movement, attackers use Win32k LPE to reach SYSTEM — enabling full endpoint control. The six-month gap between the October 2021 patch and the April 2022 KEV addition reflects that working exploits were developed and deployed by threat actors targeting enterprises with slow patching cadences. Organizations running unpatched Windows systems remained exposed throughout the winter of 2021-2022.

Remediation

1. Apply October 2021 cumulative update for your Windows version (KB5006670 for Windows 10 21H1 or equivalent) via Windows Update
2. Enable automatic Windows Updates to apply monthly security patches without delay
3. Consider deploying Windows Defender Credential Guard to protect credential stores from being accessed even after SYSTEM access is achieved
4. Implement Privileged Access Workstations (PAW) to isolate administrative operations and limit the lateral movement value of SYSTEM access on standard workstations
5. Monitor Event ID 4688 (process creation with new privilege) and detect unexpected SYSTEM-level processes with non-SYSTEM parent processes