Skip to content

Defense Digests

Windows 10 Privilege Escalation Vulnerability

Dataprise Defense Digest 550x550

Table of content

Executive Summary

Following the recent release of Windows 10 patches (January 11, 2022), security researchers have created a proof of concept exploit that allows a user to escalate their privileges to administrator through a specific vulnerable driver. This exploit was demonstrated to be highly effective and easy to use, making it a significant threat. This vulnerability allows any regular unprivileged Windows 10 user to elevate their privileges easily. A malicious attacker could use this exploit to move laterally to other machines in the network, execute commands as an administrator, and ultimately compromise your corporate environment.

Many administrators have not applied the January 2022 updates containing the patch for this Win32k Elevation of Privilege Vulnerability due to the significant number of critical bugs introduced by the January 2022 updates including; reboots, L2TP VPN problems, inaccessible ReFS volumes, and Hyper-V issues. This means the attack surface for this vulnerability is very large and needs to be addressed immediately.


This vulnerability affects all supported versions of Windows 10 before the January 2022 Patch Tuesday updates.

A malicious threat actor could make kernel calls via the appropriate application programming interface’s (API) in user-mode, then intercept the callback. This intercepted callback would then be modified, but unpatched systems do not check for this change. With the resulting type confusion, the attacker can read and write to out-of-bounds memory locations which can result in privilege escalation.

Detailed Analysis

Context of vulnerability (from February 2021 releases):

By intercepting the callback from a GUI API call in user_mode such as xxxTooltipWndProc, attackers can use NtUserConsoleControl to set the ConsoleWindow flag of the tagWND object. This change to the window type is not detected in the unpatched versions and incorrect data is referenced due to type confusion. The system then accepts that the tagWND.WndExtra is the offset of the kernel desktop heap. Controlling this offset, the attacker can read and write out-of-bounds, enabling escalation of local privileges.

Mitigation Steps

Patch systems immediately to OS Builds 22000.434, 19042.1466, 19043.1466, and 19044.1466. This patch added a check code, creating a false return in the process described above.

To check against these vulnerabilities:

  1. After the xxxClientAllocWindowClassExtraBytes callback is completed, determine whether the window object contains the 0x800 flag before the function return.
  2. When flag has been set,it can be identified according to the calling path of xxxClientAllocWindowClassExtraBytes.
  3. When the stack path is xxxCreateWindowEx -> xxxClientallocxxxxExtraBytes (CVE-2021-1732).

  4. In other cases it is (CVE-2022-21882).

  5. Google Project Zero

Download the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). Prerequisite:

For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog:

  • If your devices do not have the May 11, 2021 update (KB5003173) or later LCU, you must install the special standalone August 10, 2021 SSU (KB5005260).
  • This update will automatically sync with WSUS if you configure Products and Classifications as follows:

    • Product: Windows 11


Contributing Authors

  • Sam Bourgeois, vCISO
  • Stephen Jones, Vice President Cybersecurity

View all Dataprise Defense Digests here.

Recent Tweets


Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.