CVE-2018-8120

CVE-2018-8120 is a high-severity vulnerability in Microsoft Windows 7 with a CVSS 3.x base score of 7.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-15). The underlying weakness is classified as CWE-404.

Key facts

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.

CVE-2018-8120: Win32k Elevation of Privilege in Legacy Windows Systems

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2018-8120 is an elevation of privilege vulnerability in the Win32k kernel-mode driver of legacy Windows operating systems. The flaw occurs when Win32k fails to properly handle objects in memory, enabling an authenticated local attacker to execute arbitrary code with elevated privileges.

Background

Win32k.sys is the kernel-side component of the Windows subsystem responsible for window management, graphics rendering, and user-interface operations. Because it runs in kernel mode, any vulnerability in Win32k that permits code execution can compromise the entire system. This particular vulnerability was disclosed by Microsoft in the May 2018 Patch Tuesday release and was later added to the CISA Known Exploited Vulnerabilities catalog on 15 March 2022, confirming active exploitation in the wild.

Root Cause

The vulnerability is classified under CWE-404: Improper Resource Shutdown or Release. In affected versions, Win32k does not correctly release or validate certain window or menu objects in memory during specific operations. This improper cleanup leads to a use-after-free condition, where freed memory is subsequently accessed. An attacker who controls the timing and content of memory allocations can corrupt kernel memory and redirect execution flow.

Impact

Microsoft assigned this vulnerability a CVSS v2 score of 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C), indicating a local attack vector with low complexity, no authentication requirements, and complete impact on confidentiality, integrity, and availability. Under CVSS v3.1, the score is 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting the need for low-level privileges and high attack complexity, but with high impact across all three security dimensions. Successful exploitation grants attacker code execution at the kernel level, effectively giving them full control over the system.

Exploitation Walkthrough

Attackers typically exploit this flaw by performing the following steps at a conceptual level:

  1. Object allocation: The attacker creates one or more window or menu objects through legitimate Win32 APIs to populate kernel memory.
  2. Triggering the flaw: Through a sequence of API calls, the attacker causes Win32k to free an object without invalidating all associated pointers or handles.
  3. Memory reclamation: The attacker allocates new objects or data in user-mode, leveraging the Windows memory manager to place controlled content at the address of the freed object.
  4. Privilege escalation: When the kernel dereferences the stale pointer, it operates on attacker-controlled data, eventually redirecting execution to shellcode running in kernel context.

Ethics caveat: The description above is provided for defensive awareness only. No working exploit code is included. Security researchers and defenders should use this knowledge to improve detection and patching, not to develop weaponized tools.

Affected and Patched Versions

Affected products include:

  • Microsoft Windows 7 Service Pack 1
  • Microsoft Windows Server 2008 Service Pack 2
  • Microsoft Windows Server 2008 R2 Service Pack 1 (x64 and Itanium)

Microsoft released security updates addressing this vulnerability in May 2018. Systems running these legacy versions should be patched to the latest available update.

Remediation

Primary control: Apply the relevant Microsoft security update from May 2018 Patch Tuesday. The advisory is available at the Microsoft Security Response Center portal.

Compensating controls:

  • Upgrade to a supported Windows version (Windows 10/11 or Windows Server 2016/2019/2022) if feasible, as Windows 7 and Server 2008 have reached end-of-life.
  • Restrict interactive logon and local administrative privileges on systems that must remain on legacy platforms.
  • Enable Attack Surface Reduction (ASR) rules and exploit protection where supported.
  • Isolate legacy systems behind network segmentation to limit lateral movement opportunities.

Detection

Defenders can look for the following indicators and behaviors:

  • Unexpected processes spawned by winlogon.exe or csrss.exe with elevated privileges.
  • Anomalous Win32 API call sequences related to window or menu object manipulation from non-standard processes.
  • Endpoint detection and response (EDR) alerts for kernel-level memory corruption or unexpected system calls.
  • Correlation with known exploitation artifacts documented in the CISA KEV catalog.

Assessment

With an EPSS score of 0.73721 (approximately 73.7% probability of exploitation), this vulnerability sits in the upper percentile of observed risk. Its inclusion in the CISA Known Exploited Vulnerabilities catalog confirms that threat actors have successfully weaponized it in real attacks. The combination of a local attack vector and the existence of public exploitation resources means organizations running unpatched legacy Windows systems face a severe and present danger.

Key lessons:

  1. Legacy system risk: Operating systems past end-of-life continue to harbor high-impact vulnerabilities. Extended support or rapid migration plans are essential for reducing exposure.
  2. Memory safety in kernel code: Improper object lifecycle management remains a recurring source of critical Windows kernel vulnerabilities. Defensive investments in memory tagging, kernel control-flow integrity, and modern hardware mitigations help reduce the blast radius of such bugs.

References

Frequently asked questions

What is CVE-2018-8120?
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.
How severe is CVE-2018-8120?
CVE-2018-8120 has a CVSS 3.x base score of 7.0, rated high severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-8120 being actively exploited?
Yes. CVE-2018-8120 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-8120?
CVE-2018-8120 primarily affects Microsoft Windows 7. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-8120?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-8120 have an EU (EUVD) identifier?
Yes. CVE-2018-8120 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-19796. It is also flagged as exploited in the EUVD (since 2022-03-15).
When was CVE-2018-8120 published?
CVE-2018-8120 was published on 2018-05-09 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Microsoft Windows 7

All CVEs affecting Microsoft Windows 7 →

Other CWE-404 vulnerabilities

Browse all CWE-404 vulnerabilities →