CVE-2016-0151

CVE-2016-0151 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28). The underlying weakness is classified as CWE-269.

Key facts

Description

The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."

CVE-2016-0151: Windows CSRSS Token Mismanagement Enables Local Privilege Escalation

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2016-0151 is a local privilege escalation vulnerability in Microsoft Windows, rooted in improper token management within the Client-Server Run-time Subsystem (CSRSS). By leveraging a crafted application, a local attacker can manipulate process tokens and bypass security boundaries to gain elevated privileges. This flaw carries significant real-world risk: it is catalogued in CISA's Known Exploited Vulnerabilities (KEV) list and tied to active exploitation and ransomware campaigns.

Background

CSRSS (csrss.exe) is a critical Windows subsystem process that manages the console window, thread creation, and portions of the 16-bit virtual MS-DOS environment. Because it operates with high privileges and interacts closely with user-mode processes, its integrity is essential to system security. In 2016, Microsoft patched a token-management defect in CSRSS that allowed a lower-privileged process to tamper with token handles and assume higher privileges. The vulnerability was disclosed as part of Microsoft's April 2016 Patch Tuesday release, documented in security bulletin MS16-048.

Root Cause

The underlying weakness is classified as CWE-269: Improper Privilege Management. The CSRSS subsystem failed to correctly validate or isolate process tokens when handling inter-process communication. Specifically, the subsystem mismanaged token objects, allowing a non-privileged process to obtain or modify a token associated with a higher-privileged context. This breaks the fundamental Windows security model of token-based access control, where a process's identity and rights are bound to its access token.

Impact

The vulnerability is rated High severity under CVSS v3.1 with a base score of 7.8 (vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The CVSS v2 score is 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C). Both metrics indicate that successful exploitation grants complete confidentiality, integrity, and availability compromise from a local attack vector with low complexity and no prior privileges required (beyond local access). The attacker impact is total system takeover on affected hosts.

The Exploit Prediction Scoring System (EPSS) assigns this CVE a probability of 0.63195 (approximately 63.2%), placing it in the 99.1st percentile of all CVEs — signalling that exploitation in the wild is highly likely. CISA added it to the KEV catalog on 28 March 2022, and the EU Vulnerability Database (EUVD) confirms active exploitation from the same date.

Exploitation Walkthrough

From a defensive research perspective, exploitation follows this general pattern:

  1. The attacker executes a crafted application in the context of a low-privileged local user.
  2. The application interacts with the CSRSS subsystem through legitimate Windows IPC mechanisms.
  3. Due to the token mismanagement flaw, the application manipulates a process token handle to reference a higher-privileged security context.
  4. The attacker process then assumes the elevated token, effectively bypassing normal access controls and gaining privileges such as SYSTEM.

Ethics caveat: This description is intentionally generic and oriented toward detection and defence. Security teams should use this understanding to audit token-handling behaviour and monitor CSRSS interactions rather than attempt reproduction on production systems.

Affected and Patched Versions

The following Microsoft operating systems are confirmed vulnerable:

  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10 (initial release, version 1507)
  • Windows 10, version 1511 (November Update)

Microsoft released patches via MS16-048 in April 2016. Systems updated through standard Windows Update or WSUS channels after that date are protected.

Remediation

Primary control: Apply the MS16-048 security update to all affected systems. Given the confirmed in-the-wild exploitation and ransomware linkage, prioritise patching for:

  • Internet-facing and externally accessible endpoints
  • Domain controllers and other critical infrastructure
  • Systems running legacy or extended-support Windows versions

Compensating controls where patching is not immediately possible:

  • Restrict local login and interactive access to essential administrators only.
  • Enforce application whitelisting (AppLocker or Windows Defender Application Control) to prevent execution of untrusted binaries.
  • Enable Credential Guard and Device Guard on supported Windows 10/Server 2016 and later systems to harden token security.
  • Monitor for anomalous token-elevation events using Sysmon or native Windows Event Log auditing (Event ID 4673, 4674).

Detection

Security operations teams should monitor for indicators of privilege escalation adjacent to CSRSS:

  • Sysmon Event ID 10 (ProcessAccess) showing unusual access to csrss.exe from non-system processes.
  • Windows Security Event ID 4673 (Privileged Service Called) and 4674 (Operation Attempted on a Privileged Object) with object type Token.
  • Endpoint detection rules flagging token-duplication or handle-manipulation API calls (DuplicateTokenEx, SetThreadToken) from user-level processes.
  • EDR telemetry showing child processes of csrss.exe or unexpected token elevation shortly after process creation.

Assessment

CVE-2016-0151 is a textbook example of how a single subsystem-level token-management bug can undermine the entire Windows access-control model. The combination of a local attack vector, low exploitation complexity, and complete system compromise makes it a valuable target for threat actors. Its high EPSS score and confirmed presence on the CISA KEV list, alongside ransomware associations, underscore the need for prompt remediation even on systems that are not directly internet-facing.

Two lessons emerge:

  1. Subsystem integrity is critical. Because CSRSS sits at the boundary between user mode and kernel-assisted services, even a small flaw in its privilege-handling logic cascades into full system compromise.
  2. Patching legacy systems remains essential. Several affected versions (Windows 8.1, Server 2012, early Windows 10 releases) are either in extended support or approaching end-of-life. Organisations retaining these systems must treat them as high-risk and isolate or upgrade them accordingly.

References

Frequently asked questions

What is CVE-2016-0151?
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."
How severe is CVE-2016-0151?
CVE-2016-0151 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2016-0151 being actively exploited?
Yes. CVE-2016-0151 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2016-0151?
CVE-2016-0151 primarily affects Microsoft Windows 10 1507. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2016-0151?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2016-0151 have an EU (EUVD) identifier?
Yes. CVE-2016-0151 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2016-0189. It is also flagged as exploited in the EUVD (since 2022-03-28).
When was CVE-2016-0151 published?
CVE-2016-0151 was published on 2016-04-12 and last updated on 2026-06-17.

References

Affected products (6)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →

Other CWE-269 (Improper Privilege Management) vulnerabilities

Browse all CWE-269 (Improper Privilege Management) vulnerabilities →