CVE-2022-21971

What is Windows Runtime?

Windows Runtime (WinRT) is Microsoft's modern application framework for Windows, providing the API layer used by Universal Windows Platform (UWP) applications and enabling interoperability between C++, C#, JavaScript, and other languages through COM-based interface contracts. WinRT handles file parsing, media processing, and other system operations invoked by Windows applications. Vulnerabilities in WinRT components can be triggered when Windows processes certain file types, potentially allowing malicious files to execute code when opened by a user.

Overview

CVE-2022-21971 is a high-severity Windows Runtime remote code execution vulnerability (CWE-824, CVSS 7.8) in Microsoft Windows. A local attacker can trigger code execution when a user opens a specially crafted file that invokes vulnerable WinRT processing. The attack vector is Local with User Interaction Required — meaning the victim must open a malicious file, but no network access or privilege is needed from the attacker. Patched in February 2022 Patch Tuesday, the vulnerability was added to CISA KEV in August 2022, more than six months after the patch, reflecting delayed exploitation discovery.

Affected Versions

Technical Details

The vulnerability (CWE-824: Access of Uninitialized Pointer) exists in a Windows Runtime component that processes certain file types or data structures. An uninitialized pointer is a memory address variable that has been declared but not assigned a valid value before being used — when the code dereferences the uninitialized pointer, it accesses an arbitrary memory location determined by whatever garbage value was in the uninitialized memory.

An attacker crafts a malicious file that, when opened by a user, triggers the WinRT processing code path containing the uninitialized pointer. By carefully constructing the file to influence the uninitialized memory content (through heap grooming or other techniques), the attacker can direct the pointer to attacker-controlled data and achieve code execution in the context of the user opening the file.

The CVSS Local attack vector reflects that the attacker's malicious file must be opened locally (e.g., delivered via email attachment, USB, or download) rather than directly exploitable over the network. The 7.8 CVSS score reflects the high impact of code execution combined with the practical accessibility of the attack — getting a user to open a file is a routine social engineering operation.

Discovery

Discovered by security researchers and reported to Microsoft. The 6-month gap between the February 2022 patch and CISA's August 2022 KEV addition reflects that exploitation was confirmed through threat intelligence or incident response activity well after the patch was available.

Exploitation Context

File-triggered RCE vulnerabilities in Windows components are commonly used for:

• Phishing campaigns: Malicious Office documents, PDF files, or other common file types that trigger vulnerable system components when opened
• Drive-by download: Files served from compromised websites or delivered through malicious downloads that exploit WinRT when Windows previews or processes them
• Targeted spear phishing: Sending crafted files to high-value targets as email attachments

The delayed KEV addition suggests the vulnerability was being used in targeted campaigns where victims were tricked into opening crafted files, rather than mass exploitation.

Remediation

1. Apply February 2022 Patch Tuesday: Install the cumulative security update via Windows Update or WSUS.
2. Enable Protected View in Office: Microsoft Office's Protected View opens downloaded files in a restricted mode that prevents them from triggering system processing — reducing the risk of file-triggered RCE.
3. User awareness training: Train users to exercise caution with unexpected file attachments and downloaded files, particularly those requiring macros or special permissions.
4. Application whitelisting / ASR rules: Microsoft Defender Attack Surface Reduction rules can block execution triggered by Office documents and other file types.