CVE-2022-21882

What is Microsoft Win32k?

Win32k.sys is a Windows kernel-mode driver that implements the GUI subsystem — handling window management, GDI graphics, and user interface operations for all Windows applications. Because Win32k runs in kernel mode with the highest privilege level, vulnerabilities in it enable local privilege escalation (LPE) from a limited user account to SYSTEM. Win32k LPE vulnerabilities are consistently among the most exploited Windows vulnerabilities, commonly chained with code execution exploits to achieve full system compromise.

Overview

CVE-2022-21882 is a high-severity Win32k privilege escalation vulnerability (CWE-787, CVSS 7.0) in Microsoft Windows. A local attacker with low privileges can exploit an out-of-bounds write in the Win32k kernel driver to escalate to SYSTEM privileges. Patched in January 2022 Patch Tuesday, the vulnerability was confirmed actively exploited — CISA added it to KEV on February 4, 2022.

Affected Versions

Technical Details

The vulnerability (CWE-787: Out-of-bounds Write) exists in the Win32k.sys kernel driver. An out-of-bounds write in a Win32k GUI processing code path allows a local attacker with low privileges to corrupt kernel data structures — such as a process token or security descriptor — enabling escalation from a limited user account to NT AUTHORITY\SYSTEM.

The attack requires local code execution but no user interaction and minimal privileges. CVE-2022-21882 is typically used as the second stage in a two-stage attack: a remote code execution vulnerability provides initial access in a sandboxed or low-privilege context, then the Win32k LPE elevates that access to SYSTEM for full machine control.

The CVSS attack complexity of High reflects that triggering the vulnerability reliably may require specific timing conditions (race condition) or particular system state.

Discovery

Discovered by security researchers and reported to Microsoft. Active exploitation was confirmed approximately three weeks after the January 2022 Patch Tuesday fix — suggesting rapid reverse engineering of the patch or pre-existing knowledge of the bug.

Exploitation Context

Win32k privilege escalation vulnerabilities are a consistent component of Windows attack chains:

• Ransomware deployment: After initial access, ransomware operators use LPE to achieve SYSTEM privileges for disabling AV, encrypting system files, and modifying boot records
• Lateral movement: SYSTEM-level access enables credential harvesting from LSASS and remote code execution across the domain
• APT persistence: Nation-state actors use Win32k LPE to escape browser sandboxes or elevate initial footholds to full machine control
• Post-exploitation frameworks: C2 frameworks include Win32k LPE modules for privilege escalation workflows

Remediation

1. Apply January 2022 Patch Tuesday: Install the cumulative update via Windows Update or WSUS — KB5009543 for Windows 10, KB5009566 for Windows 11.
2. Prioritize patch deployment: Win32k LPE is actively exploited and commonly used in multi-stage attack chains targeting enterprise environments.
3. Enable Attack Surface Reduction: Microsoft Defender ASR rules can block certain exploitation patterns.
4. Deploy EDR: Endpoint Detection and Response solutions detect privilege escalation attempts through behavioral anomaly detection.