CVE-2006-5758

EXPLOITED

Microsoft Windows 2000 through SP4 and XP through SP2 - Privilege Escalation via GDI Kernel Structure Memory Remapping

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-5758 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits.

AI-analyzed exploit summary This exploit targets a vulnerability in Microsoft Windows GDI (CVE-2006-5758) via a maliciously crafted .ANI file, leading to remote elevation of privilege. The exploit leverages a buffer overflow in the handling of animated cursor files to execute arbitrary code.

Description

The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures.

Exploits (3)

exploitdb WORKING POC
remotewindows
https://www.exploit-db.com/exploits/3804

This exploit targets a vulnerability in Microsoft Windows GDI (CVE-2006-5758) via a maliciously crafted .ANI file, leading to remote elevation of privilege. The exploit leverages a buffer overflow in the handling of animated cursor files to execute arbitrary code.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (pre-MS07-017 patch)
No auth needed
Prerequisites: Unpatched Windows system · Ability to deliver malicious .ANI file to target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/3755

This exploit leverages a GDI local elevation of privilege vulnerability (CVE-2006-5758) by manipulating a palette object in the GDI shared section to execute arbitrary code in kernel mode. It hooks the GetNearestPaletteIndex function to achieve privilege escalation on unpatched Windows 2000/XP systems.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000/XP (before MS07-017 patch)
No auth needed
Prerequisites: Unpatched Windows 2000/XP system · Local access to the target machine
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/3688

This exploit demonstrates a local privilege escalation (LPE) vulnerability in Windows GDI (CVE-2006-5758) by manipulating the GDI table to overwrite a win32k.sys SSDT entry, allowing arbitrary kernel code execution. The PoC allocates memory at address 0x2, crafts a payload, and triggers the vulnerability via DeleteObject.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows XP SP2 (GDI)
No auth needed
Prerequisites: Local access to a vulnerable Windows XP SP2 system
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1215
Various Sources x_refsource_misc
http://kernelwars.blogspot.com/2007/01/alive.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2056
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4358
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30042
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/466186/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017168
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20940
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22668

Scores

EPSS 0.0107
EPSS Percentile 78.2%

Details

VulnCheck KEV 2008-09-26
CWE
CWE-119
Status published
Products (2)
microsoft/windows_2000
microsoft/windows_xp (3 CPE variants)
Published Nov 06, 2006
Tracked Since Feb 18, 2026