CVE-2021-36975 Overview
CVE-2021-36975 is an elevation of privilege vulnerability in the Microsoft Windows Win32k kernel-mode driver. The flaw affects multiple supported Windows desktop and server releases, including Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 2022. A local, authenticated attacker who successfully exploits the issue can elevate from a low-integrity user context to SYSTEM-level privileges. Microsoft tracks the weakness under CWE-269: Improper Privilege Management. The CVE was published to the National Vulnerability Database on September 15, 2021.
Critical Impact
Successful exploitation grants SYSTEM privileges on the affected Windows host, providing full confidentiality, integrity, and availability impact on the targeted endpoint.
Affected Products
- Microsoft Windows 10 (versions 1809, 1909, 2004, 20H2, 21H1)
- Microsoft Windows Server 2016 and Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- 2021-09-15 - CVE-2021-36975 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-36975
Vulnerability Analysis
The vulnerability resides in win32k.sys, the kernel-mode component that handles window management, graphical device interface operations, and user input. Win32k has historically been a frequent source of local privilege escalation flaws because it exposes a large syscall surface from user mode directly into kernel context. Microsoft classifies CVE-2021-36975 as an elevation of privilege issue mapped to [CWE-269], indicating improper privilege management during sensitive kernel operations. Exploitation results in code running at SYSTEM, which allows the attacker to disable security agents, install persistence, dump credentials, or pivot laterally.
Root Cause
The underlying weakness is improper privilege management within Win32k kernel routines reachable from user mode. Microsoft has not published low-level technical details for this issue. Based on the [CWE-269] classification and the local attack vector, the flaw allows a process running with standard user rights to perform an operation that should be reserved for higher-privileged contexts.
Attack Vector
Exploitation requires local access and low-privilege authenticated execution on the target system. No user interaction is needed beyond running the malicious code. Typical delivery paths include execution of a malicious binary after initial access through phishing, a drive-by download, or a compromised application. The attacker invokes the vulnerable Win32k path from a controlled process to obtain a SYSTEM token or arbitrary kernel read/write primitive.
No verified public proof-of-concept code has been published. The vulnerability mechanism is described in prose only — see the Microsoft Security Advisory CVE-2021-36975 for vendor-supplied details.
Detection Methods for CVE-2021-36975
Indicators of Compromise
- Unexpected child processes of standard user applications running with NT AUTHORITY\SYSTEM integrity.
- Creation or loading of unsigned drivers shortly after execution of an untrusted binary.
- Suspicious calls into win32k.sys syscalls from non-GUI processes or short-lived console binaries.
Detection Strategies
- Monitor for token manipulation patterns where a process token's User SID changes to SYSTEM mid-execution.
- Hunt for newly spawned processes whose parent runs as a standard user but child runs as SYSTEM without going through services.exe or lsass.exe.
- Correlate kernel crash events (BugCheck, Event ID 1001) with prior user-mode process activity, which may indicate failed exploitation attempts against Win32k.
Monitoring Recommendations
- Enable and forward Windows Security, Sysmon, and kernel ETW providers to a centralized analytics pipeline for behavioral correlation.
- Track installation of unpatched Windows builds across the fleet using authenticated vulnerability scanning.
- Alert on disablement of endpoint protection services immediately following execution of an unsigned or newly introduced binary.
How to Mitigate CVE-2021-36975
Immediate Actions Required
- Apply the September 2021 cumulative security updates from Microsoft to all affected Windows 10, Windows Server 2016, 2019, and 2022 systems.
- Prioritize patching on multi-user systems, jump hosts, and developer workstations where local code execution by standard users is common.
- Audit local administrator group membership and remove accounts that do not require elevated rights to reduce blast radius.
Patch Information
Microsoft addressed CVE-2021-36975 in the September 2021 Patch Tuesday release. Refer to the Microsoft Security Advisory CVE-2021-36975 for the specific KB articles aligned to each affected Windows build.
Workarounds
- No vendor-supplied workaround is available. Applying the security update is the only supported mitigation.
- Restrict the ability of untrusted users to execute arbitrary binaries through application control policies such as Windows Defender Application Control or AppLocker.
- Enforce least-privilege execution and block macro and script-based initial access vectors to reduce the chance of local code execution.
# Verify the September 2021 cumulative update is installed (PowerShell)
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date "2021-09-14") } | \
Sort-Object InstalledOn -Descending | \
Format-Table HotFixID, Description, InstalledOn
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
