CVE-2019-1458
CVE-2019-1458 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-10).
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 7.2
- EPSS exploit prediction: 74% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-01-10)
- EU (EUVD) id: EUVD-2019-10015
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-01-10)
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
CVE-2019-1458: Win32k Local Privilege Escalation in Windows
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2019-1458 is a local privilege escalation vulnerability in the Windows Win32k kernel-mode driver. The flaw occurs when Win32k fails to properly handle objects in memory, allowing an authenticated local attacker to execute arbitrary code with elevated privileges.
Background
Win32k.sys is the kernel-side component of the Windows graphics subsystem. It handles window management, user interface rendering, and input processing. Because it operates in kernel mode, vulnerabilities in Win32k can have severe security consequences, including complete system compromise.
Root Cause
The vulnerability stems from improper handling of objects in memory within the Win32k component. The specific CWE identifier was not provided in the source data, but the nature of the flaw involves memory management errors in a kernel-mode driver that lead to privilege escalation.
Impact
This vulnerability is rated High severity with a CVSS 3.1 score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with local access and low-level privileges can exploit this flaw without user interaction. Successful exploitation results in complete compromise of confidentiality, integrity, and availability at the system level.
Exploitation Walkthrough
Public exploit code for this vulnerability exists and has been circulated under names such as "WizardOpium." Attackers typically leverage this flaw as part of a multi-stage exploit chain, combining an initial access vector (such as a browser vulnerability or malicious document) with this local privilege escalation to achieve SYSTEM-level access.
From a defensive perspective, exploitation requires:
- Local access to the target system
- Ability to execute code in the context of a low-privileged user
Ethics Note: This section describes the vulnerability conceptually for defensive purposes. Security practitioners should use this information to improve detection and hardening, not for unauthorized access.
Affected and Patched Versions
The following product versions are affected according to the NVD record:
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (versions 1507, 1607)
- Windows Server 2008 SP2
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Specific patch details are available in the Microsoft Security Response Center advisory.
Remediation
- Apply Security Updates: Install the latest Microsoft security updates for affected Windows versions. Refer to the Microsoft Security Response Center advisory for specific patch guidance.
- Upgrade End-of-Life Systems: Windows 7 and Windows Server 2008 have reached end of support. Organizations should migrate to supported operating systems to receive continued security updates.
- Principle of Least Privilege: Restrict local user privileges where possible to reduce the attack surface for privilege escalation chains.
- Application Control: Implement application whitelisting to prevent execution of untrusted code that could be used to trigger this vulnerability.
Detection
- Monitor for anomalous process behavior where a low-privileged process suddenly gains SYSTEM privileges.
- Look for suspicious activity involving Win32k.sys, such as unexpected kernel callbacks or memory corruption indicators.
- Endpoint detection and response (EDR) solutions can flag known exploit tooling associated with this vulnerability.
Assessment
With an EPSS score of 0.74438 (74.4% probability of exploitation) and a 99.43 percentile ranking, this vulnerability presents a high likelihood of active exploitation. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on January 10, 2022, and the European Union Vulnerability Database (EUVD-2019-10015) also lists it as actively exploited since the same date.
Key lessons:
- Legacy systems amplify risk: The inclusion of end-of-life Windows versions in the affected list underscores the danger of maintaining unsupported operating systems in production environments.
- Kernel memory safety is critical: Memory handling errors in kernel-mode components continue to be a primary source of high-impact privilege escalation vulnerabilities that are actively targeted by threat actors.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1458
- http://packetstormsecurity.com/files/156651/Microsoft-Windows-WizardOpium-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/159569/Microsoft-Windows-Uninitialized-Variable-Local-Privilege-Escalation.html
Frequently asked questions
- What is CVE-2019-1458?
- An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
- How severe is CVE-2019-1458?
- CVE-2019-1458 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-1458 being actively exploited?
- Yes. CVE-2019-1458 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-1458?
- CVE-2019-1458 primarily affects Microsoft Windows 10 1507. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-1458?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-1458 have an EU (EUVD) identifier?
- Yes. CVE-2019-1458 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-10015. It is also flagged as exploited in the EUVD (since 2022-01-10).
- When was CVE-2019-1458 published?
- CVE-2019-1458 was published on 2019-12-10 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/156651/Microsoft-Windows-WizardOpium-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/159569/Microsoft-Windows-Uninitialized-Variable-Local-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1458
Affected products (13)
- cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…