CVE-2016-0007

HIGH

Microsoft Windows - Local Privilege Escalation via Reparse Point Mishandling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-0007. PoCs published by Google Security Research.

AI-analyzed exploit summary This is a technical analysis of a security feature bypass in Windows 8.1 (CVE-2016-0007) that allows low-integrity processes to create mount point reparse points by impersonating the anonymous token. The writeup details the root cause, exploitation steps, and limitations, including the inability to work with restricted tokens.

Description

The sandbox implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandles reparse points, which allows local users to gain privileges via a crafted application, aka "Windows Mount Point Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0006.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Google Security Research · textlocalwindows
https://www.exploit-db.com/exploits/39310

This is a technical analysis of a security feature bypass in Windows 8.1 (CVE-2016-0007) that allows low-integrity processes to create mount point reparse points by impersonating the anonymous token. The writeup details the root cause, exploitation steps, and limitations, including the inability to work with restricted tokens.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows 8.1
No auth needed
Prerequisites: Low integrity process execution · Writable directory for reparse point creation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · textlocalwindows
https://www.exploit-db.com/exploits/39311

The exploit demonstrates a bypass for the CVE-2015-2553 fix by leveraging shadow object directories to create mount reparse points at low integrity, allowing privilege escalation. It uses NtCreateObjectDirectoryEx to shadow GLOBAL?? and manipulate dos device paths.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10
No auth needed
Prerequisites: Low integrity execution context · Writable directory for PoC execution
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-008
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034645
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://code.google.com/p/google-security-research/issues/detail?id=589
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39311/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/79898
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39310/

Scores

CVSS v3 7.8
EPSS 0.0545
EPSS Percentile 91.7%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (12)
microsoft/windows_10
microsoft/windows_10 1511
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
... and 2 more
Published Jan 13, 2016
Tracked Since Feb 18, 2026