CVE-2021-40449
CVE-2021-40449 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-17). The underlying weakness is classified as CWE-416.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 4.6
- EPSS exploit prediction: 73% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-17)
- EU (EUVD) id: EUVD-2021-27626
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-17)
- Weakness: CWE-416
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
Win32k Elevation of Privilege Vulnerability
CVE-2021-40449: Win32k Use-After-Free Local Privilege Escalation
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2021-40449 is a use-after-free vulnerability located in the Windows Win32k kernel-mode graphics subsystem. An attacker with local access and low-privileged credentials can trigger the flaw to escalate privileges to SYSTEM level, gaining full control over the affected host.
Background
Win32k.sys is the kernel-mode component in Windows responsible for window management, graphics rendering, and user input processing. The NtGdiResetDC system call is part of the Graphics Device Interface (GDI) and is used to reset a device context (DC) object. Because Win32k runs in kernel space, any memory-safety bug within it crosses the user-kernel boundary and becomes a potent privilege escalation vector. Historically, Win32k has been a frequent target for both security researchers and threat actors due to its large attack surface and direct accessibility from user-mode processes.
Root Cause
The vulnerability is classified under CWE-416: Use After Free. The flaw occurs in the Win32k driver's handling of the NtGdiResetDC API. During the reset operation, a device context object can be freed while a stale reference to it remains in use. Subsequent access through this dangling pointer results in memory corruption, which an attacker can groom and exploit to execute arbitrary code in kernel mode. The root cause is a failure to properly synchronize object lifetime management during DC reset operations.
Impact
The Common Vulnerability Scoring System (CVSS) v3.1 vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 7.8 (High). The metrics indicate a local attack vector, low attack complexity, low privileges required, and no user interaction. A successful exploit results in high impact to confidentiality, integrity, and availability, effectively granting the attacker SYSTEM-level access on the compromised endpoint.
Exploitation Walkthrough
Ethics Notice: This section describes the exploitation scenario from a defensive perspective only. No weaponized exploit code or step-by-step attack instructions are provided.
An attacker who has already gained an initial foothold on a Windows endpoint—through phishing, malware, or other means—can execute the attack from a low-privileged user context. The exploitation workflow conceptually involves:
- Triggering the vulnerable path: The attacker invokes the
NtGdiResetDCsystem call in a way that causes the target DC object to be freed. - Reclaiming the freed memory: Using standard kernel heap grooming techniques, the attacker reallocates the freed memory with attacker-controlled data before the kernel accesses the stale pointer.
- Gaining kernel execution: By controlling the contents of the reclaimed memory, the attacker can manipulate kernel execution flow and escalate their process token to SYSTEM privileges.
This vulnerability was exploited in the wild as a zero-day prior to the release of a patch, demonstrating that advanced threat actors had already weaponized the flaw.
Affected and Patched Versions
The following Microsoft Windows versions are affected according to the vulnerability data:
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
- Windows 11 (initial release and 21H2)
- Windows Server 2008 SP2 and R2 SP1
- Windows Server 2012 and 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2004 and 20H2
Microsoft released security updates to address this vulnerability. Administrators should consult the Microsoft Security Response Center advisory for specific patch availability and build numbers.
Remediation
Primary: Apply the latest Microsoft security updates for all affected Windows versions as soon as possible. Prioritize workstations and servers that are internet-facing or accessible to a large user base.
Compensating Controls:
- Enforce the principle of least privilege; restrict local logon rights where not required.
- Deploy application control policies to block untrusted executables from running.
- Ensure endpoints run modern anti-malware and endpoint detection and response (EDR) tools with up-to-date signatures.
- For environments with elevated risk, consider disabling unnecessary user-mode access to GDI functions where feasible through hardening guidelines.
Detection
Defenders should monitor for:
- Anomalous sequences of
NtGdiResetDCcalls originating from non-system processes, especially those running under low-privileged accounts. - Privilege escalation events where a user-mode process unexpectedly obtains SYSTEM-level token privileges.
- Suspicious win32k.sys access patterns reported by kernel exploit detection sensors.
- EDR or sysmon telemetry showing unusual memory allocation and release patterns in the context of graphics subsystem activity.
Assessment
This vulnerability carries an EPSS score of 0.73381 (99.4th percentile), indicating a high probability of exploitation in the wild. It is listed in both the CISA Known Exploited Vulnerabilities catalog (added 2021-11-17) and the EU Vulnerability Database (EUVD-2021-27626), confirming active exploitation by threat actors. The combination of a high CVSS score, a simple local attack vector, and confirmed in-the-wild use makes this a critical patching priority.
Key lessons:
- Kernel surface reduction remains one of the most effective long-term strategies for limiting privilege escalation attacks on Windows endpoints.
- The historical pattern of Win32k vulnerabilities being exploited as zero-days underscores the need for rapid patching cycles, especially for organizations with high-value assets.
References
Frequently asked questions
- What is CVE-2021-40449?
- Win32k Elevation of Privilege Vulnerability
- How severe is CVE-2021-40449?
- CVE-2021-40449 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-40449 being actively exploited?
- Yes. CVE-2021-40449 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-17, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-40449?
- CVE-2021-40449 primarily affects Microsoft Windows 10 1507. In total, 21 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-40449?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-40449 have an EU (EUVD) identifier?
- Yes. CVE-2021-40449 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-27626. It is also flagged as exploited in the EUVD (since 2021-11-17).
- When was CVE-2021-40449 published?
- CVE-2021-40449 was published on 2021-10-13 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/164926/Win32k-NtGdiResetDC-Use-After-Free-Local-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40449
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40449
Affected products (21)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_2004:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-416 (Use After Free) vulnerabilities
- CVE-2026-13782 — Critical (CVSS 10.0): Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-4725 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149…
- CVE-2026-4688 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox…
- CVE-2025-24085 — Critical (CVSS 10.0): A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3,…
- CVE-2024-43102 — Critical (CVSS 10.0): Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of…
- CVE-2021-32495 — Critical (CVSS 10.0): Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory…