The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-21754

CVE-2023-21754: Windows 10 1607 Privilege Escalation Flaw

CVE-2023-21754 is a privilege escalation vulnerability in Windows 10 1607 Kernel that allows attackers to gain elevated system privileges. This article covers technical details, affected versions, impact, and mitigation.

Published: February 4, 2026

CVE-2023-21754 Overview

CVE-2023-21754 is a Windows Kernel Elevation of Privilege vulnerability affecting a wide range of Microsoft Windows operating systems, including both client and server editions. This vulnerability allows a local attacker with low privileges to escalate their access to obtain full system-level privileges through exploitation of a flaw in the Windows kernel. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound), indicating that improper handling of integer arithmetic operations within kernel code can be leveraged for privilege escalation.

Critical Impact

Successful exploitation enables local attackers to elevate privileges from a low-privileged user account to SYSTEM level, potentially gaining complete control over affected Windows systems.

Affected Products

  • Microsoft Windows 10 (versions 1607, 1809, 20H2, 21H2, 22H2)
  • Microsoft Windows 11 (versions 21H2, 22H2)
  • Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
  • Microsoft Windows Server 2008 SP2/R2, 2012/R2, 2016, 2019, 2022

Discovery Timeline

  • January 10, 2023 - CVE-2023-21754 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-21754

Vulnerability Analysis

This elevation of privilege vulnerability resides in the Windows kernel and stems from an integer overflow condition (CWE-190). When specific operations involving integer calculations within the kernel are performed, improper validation of arithmetic boundaries can lead to memory corruption or unexpected behavior. An attacker who successfully exploits this vulnerability can execute arbitrary code in kernel mode, effectively bypassing user-mode security restrictions and gaining the highest level of system access.

The vulnerability requires local access to the target system, meaning an attacker must first have the ability to execute code on the target, even with limited privileges. Once exploited, the attacker can perform actions reserved for SYSTEM accounts, including installing programs, viewing and modifying sensitive data, creating new privileged accounts, or persisting on the compromised system.

Root Cause

The root cause of CVE-2023-21754 is an integer overflow vulnerability within the Windows kernel. Integer overflow occurs when an arithmetic operation attempts to create a numeric value outside the range that can be represented with a given number of bits. In this case, improper bounds checking on integer values passed to or processed by kernel functions can result in wraparound behavior, leading to incorrect memory allocations, buffer sizes, or other security-critical calculations that can be manipulated by an attacker.

Attack Vector

The attack vector for this vulnerability is local, requiring the attacker to have pre-existing access to the target system with at least low-level privileges. The exploitation scenario typically involves:

  1. An attacker gains initial access to a Windows system through phishing, credential theft, or other means
  2. The attacker executes a specially crafted application or payload designed to trigger the integer overflow condition in the Windows kernel
  3. The overflow condition corrupts kernel memory or manipulates internal data structures
  4. The attacker leverages this corruption to execute arbitrary code with kernel-level (SYSTEM) privileges

This vulnerability requires no user interaction beyond the initial code execution, making it particularly valuable for lateral movement and privilege escalation within compromised environments.

Detection Methods for CVE-2023-21754

Indicators of Compromise

  • Unusual processes running with SYSTEM privileges that were spawned from low-privilege user sessions
  • Suspicious kernel-mode driver loading or modifications to kernel memory regions
  • Anomalous system call patterns targeting kernel functions associated with memory management or integer operations
  • Unexpected privilege token modifications in process security descriptors

Detection Strategies

  • Monitor for privilege escalation attempts using endpoint detection and response (EDR) solutions such as SentinelOne Singularity
  • Implement Windows Event Log monitoring for Security Event ID 4688 (new process creation) with elevated privileges from unexpected parent processes
  • Deploy behavioral analysis to detect exploitation attempts that trigger kernel-mode code execution from user-mode applications
  • Enable kernel patch protection and validate integrity of kernel memory regions

Monitoring Recommendations

  • Configure SentinelOne agents to detect and alert on privilege escalation behaviors and kernel exploitation techniques
  • Implement continuous monitoring of process privilege levels and token manipulations across enterprise endpoints
  • Enable Windows Defender Credential Guard and Device Guard to reduce attack surface for kernel exploitation
  • Correlate endpoint telemetry with SIEM platforms to identify exploitation patterns across the environment

How to Mitigate CVE-2023-21754

Immediate Actions Required

  • Apply the Microsoft security update for CVE-2023-21754 immediately across all affected Windows systems
  • Prioritize patching for systems exposed to higher risk, such as multi-user environments, terminal servers, and systems with untrusted local users
  • Verify patch deployment using vulnerability scanning tools and asset management systems
  • Enable enhanced audit logging to detect any exploitation attempts prior to patching

Patch Information

Microsoft has released security updates to address this vulnerability as part of their January 2023 Patch Tuesday release. Detailed patch information and download links are available through the Microsoft Security Response Center advisory for CVE-2023-21754. Organizations should apply the appropriate cumulative update for their specific Windows version and architecture (x86, x64, or ARM64).

Workarounds

  • Restrict local logon rights to reduce the number of accounts that could potentially exploit this vulnerability
  • Implement application allowlisting to prevent execution of unauthorized applications that could exploit kernel vulnerabilities
  • Apply principle of least privilege to limit the potential impact of successful exploitation
  • Consider network segmentation to contain systems where patching is delayed
bash
# Configuration example - Audit privilege escalation attempts via Group Policy
# Enable command: Configure via Local Security Policy or Group Policy
# Path: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
# Category: Privilege Use
# Subcategory: Audit Sensitive Privilege Use
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechWindows
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability2.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-190
  • NVD-CWE-noinfo
  • Technical References
  • Microsoft Security Update CVE-2023-21754
  • Related CVEs
  • CVE-2026-23672: Windows UDFS Privilege Escalation Flaw
  • CVE-2026-25178: Windows WinSock Driver Privilege Escalation
  • CVE-2026-24283: Windows File Server Privilege Escalation
  • CVE-2026-24294: Windows SMB Server Privilege Escalation
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English