CVE-2021-31956: Windows 10 1507 Privilege Escalation Flaw

CVE-2021-31956 Overview

CVE-2021-31956 is an elevation of privilege vulnerability in the Windows NTFS file system driver. The flaw stems from an integer underflow [CWE-191] in ntfs.sys triggered through the NtfsQueryEaUserEaList function when processing Extended Attributes. A local authenticated attacker can leverage this condition to corrupt kernel memory and execute code with SYSTEM privileges. CISA added CVE-2021-31956 to the Known Exploited Vulnerabilities catalog, and the issue was chained with a Chromium zero-day in the PuzzleMaker attack campaign reported by Kaspersky in mid-2021. The vulnerability affects every supported Windows client and server release at the time of disclosure, including Windows 10, Windows 8.1, Windows 7, and Windows Server 2008 through 2019.

Critical Impact

Authenticated local attackers can escalate to SYSTEM by exploiting an NTFS integer underflow, enabling full kernel-mode compromise and persistence. Active exploitation has been confirmed by CISA.

Affected Products

• Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
• Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
• Microsoft Windows Server 2008, 2012, 2016, 2019, Server 2004, Server 20H2

Discovery Timeline

• 2021-06-08 - CVE-2021-31956 published to NVD and patched in Microsoft's June 2021 Patch Tuesday
• 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2021-31956

Vulnerability Analysis

The vulnerability resides in the NTFS driver's handling of Extended Attribute (EA) queries. When a caller invokes NtQueryEaFile with a user-supplied EaList, the kernel routes the request through NtfsQueryEaUserEaList in ntfs.sys. The function calculates the remaining output buffer space using a 32-bit length subtraction without validating that the EA entry's padded size is smaller than the available output length. When the padded length exceeds the remaining buffer size, the subtraction wraps around, producing a very large unsigned value.

The driver then proceeds to copy attacker-controlled EA data into a paged pool allocation using the underflowed length as its bounds check. The result is an out-of-bounds write into adjacent pool memory. Skilled attackers shape the paged pool layout using Windows Notification Facility (WNF) objects and pipe attributes to overwrite a chosen WNF state data structure, ultimately gaining arbitrary kernel read/write primitives.

Root Cause

The root cause is an integer underflow [CWE-191] in NTFS Extended Attribute parsing. The length arithmetic uses unchecked unsigned subtraction, allowing the size validation to be bypassed when a crafted EA list is supplied.

Attack Vector

Exploitation requires local access and low-privileged code execution. The attacker creates a file, writes a malicious set of Extended Attributes, and then calls NtQueryEaFile with a specially crafted EaList parameter. No user interaction is required. The resulting kernel pool corruption is converted into SYSTEM-level code execution, typically as the second stage of a sandbox-escape or post-exploitation chain.

The vulnerability mechanism is documented in detail in the Microsoft Security Advisory CVE-2021-31956 and in public research describing the PuzzleMaker campaign.

Detection Methods for CVE-2021-31956

Indicators of Compromise

• Unexpected child processes spawned by browser renderer processes or other sandboxed applications running as SYSTEM
• Suspicious creation or modification of Extended Attributes on NTFS files by unprivileged user processes
• Presence of dropped payloads associated with the PuzzleMaker activity cluster in %ProgramData% or %TEMP%
• Kernel pool corruption crashes (BSOD with BAD_POOL_HEADER or KERNEL_MODE_HEAP_CORRUPTION) immediately following EA query activity

Detection Strategies

• Monitor for processes invoking NtQueryEaFile or NtSetEaFile against files containing oversized or malformed EA records
• Hunt for token manipulation events where a low-integrity process suddenly executes with SYSTEM token attributes
• Correlate browser sandbox escapes with subsequent privileged process creation within short time windows
• Inspect Microsoft-Windows-Kernel-General and Sysmon Event ID 1 logs for anomalous parent-child chains originating from sandboxed processes

Monitoring Recommendations

• Enable kernel pool corruption telemetry and forward WER crash reports to a central SIEM for analysis
• Track patch compliance for the June 2021 cumulative update across every Windows host in the environment
• Alert on local privilege escalation behaviors such as access token duplication from winlogon.exe or lsass.exe by non-system processes

How to Mitigate CVE-2021-31956

Immediate Actions Required

• Apply the June 2021 (or later) Microsoft cumulative security update to every affected Windows client and server
• Audit endpoints listed in the CISA Known Exploited Vulnerabilities Catalog entry and prioritize remediation per BOD 22-01
• Restrict local logon and remove unnecessary local accounts on high-value servers to reduce the attacker prerequisite
• Validate that endpoint protection is enforcing kernel exploit mitigations and reporting tamper attempts

Patch Information

Microsoft addressed CVE-2021-31956 in the June 8, 2021 Patch Tuesday release. Refer to the Microsoft Security Advisory CVE-2021-31956 for the specific KB articles applicable to each Windows version. Systems that have received any cumulative update from June 2021 onward are protected.

Workarounds

• No official vendor workaround exists; patching is the only complete remediation
• Limit local code execution on sensitive hosts by enforcing application allow-listing through Windows Defender Application Control or AppLocker
• Enable Hypervisor-protected Code Integrity (HVCI) and Credential Guard to raise the cost of kernel exploitation
• Decommission or isolate end-of-life Windows 7 and Server 2008 systems that cannot receive current updates

# Verify patch installation for the June 2021 rollup on a Windows host
wmic qfe list brief /format:table | findstr /I "KB5003637 KB5003646 KB5003635 KB5003638 KB5003671 KB5003667"

# Confirm HVCI is enabled to mitigate kernel exploitation
powershell -Command "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object SecurityServicesRunning"