Windows 10: Proof of Concept for vulnerability CVE-2022-21882

Windows[German]In January 2022, Microsoft closed the CVE-2022-21882 (Win32k Privilege Escalation) vulnerability in Windows 10/11 and Windows Server 20H2 on Patchday. However, the patch was not installed everywhere because of the many collateral damages. Now a public proof of concept (PoC) for this vulnerability is available. Administrators should check if the January 2022 fix updates can be installed to close the vulnerability. Here is a brief overview of this issue.


I became aware of the issue via the following tweet from colleagues at Bleeping Computer. There it is pointed out that a security researcher had published a proof of concept (PoC). The tweet with the reference to the PoC can be found here.

CVE-2022-21882 is a Win32k Privilege Escalation vulnerability that has been closed by Microsoft for Windows 10 version 1909, 20H2 – 21H2, Windows 11, and Windows Server 20H2 through updates. A local authenticated attacker can gain elevated local system or administrator privileges through the vulnerability in the Win32k.sys driver.

Because of the limitations, this vulnerability is only rated as important. However, Microsoft is aware of a limited number of attacks that attempt to exploit this vulnerability. I had mentioned the vulnerability closed by the January 11, 2022 security update, but also the collateral damage caused by the security update, in the blog post Microsoft Microsoft Januar 2022 Patchday Revisions (2022/01/14).

However, the published proof of concept (POC) might have changed the facts. Will Dormann confirms in the following tweet that the PoC works. 


This tweet also confirms that the PoC can be easily applied. The colleagues at Bleeping Computer have compiled the PoC and were able to reproduce it under Windows 10. However, the PoC did not work under Windows 11, they write in this article.

It remains to be said, however, that this is a locally exploitable vulnerability, so the attacker must have access to the local system. So far, I am not aware that Microsoft has upgraded the threat level. However, administrators should check whether the January 2022 fix updates (see the following list of links) can be installed on affected machines after all.

Similar articles:
Patchday: Windows 10 Updates (January 11, 2022)
Patchday: Windows 11 Updates (January 11, 2022)

Windows Server: January 2022 security updates are causing DC boot loop
Windows VPN connections (L2TP over IPSEC) broken after January 2022 update
Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host
Microsoft patch day issues Jan. 2022: bugs confirmed, but updates not pulled

Microsoft Microsoft Januar 2022 Patchday Revisions (2022/01/14)
Windows Out-of-band Updates fixes Jan. 2022 patch day issues (Jan. 17, 2022)
Windows 10/Server: Out-of-band Updates fixes Jan. 2022 patch day issues (Jan. 17, 2022)
Out-of-band Updates for Windows Server 2019 fixes Jan. 2022 Patch day issues (Jan. 18, 2022)
Windows 7/8.1; Server 2008R2/2012R2: Out-of-band Updates with Fixes for Jan. 2022 Patch day Issues (2022/01/17)

Review: Fix for Windows IPSec VPN Connection Issues
Out-of-Band Updates for Windows (Jan. 17/18, 2022) doesn't fixes ReFS Issues complete
Review: Fix for Hyper-V Host Startup Problem in Windows (January 2022)
Status of January 2022 security updates from Microsoft (2022/01/25)

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *