CVE-2016-0040

HIGH KEV

Microsoft Windows - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2016-0040 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022. EIP tracks 4 public exploits from researchers including Metasploit, Rootkitsmm-zz, de7ec7ed, including a Metasploit module exploits/windows/local/ms16_014_wmi_recv_notif.

AI-analyzed exploit summary This Metasploit module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.exe (CVE-2016-0040) to achieve local privilege escalation on Windows 7 SP0/SP1 x64 systems. It injects a reflective DLL into a process (e.g., notepad.exe) to trigger the vulnerability and execute a payload with elevated privileges.

Description

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows_x86-64

https://www.exploit-db.com/exploits/44586

View Code ZIP pw:eip

This Metasploit module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.exe (CVE-2016-0040) to achieve local privilege escalation on Windows 7 SP0/SP1 x64 systems. It injects a reflective DLL into a process (e.g., notepad.exe) to trigger the vulnerability and execute a payload with elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7 SP0/SP1 x64 (ntoskrnl.exe)

Auth required

Prerequisites: Local access to a vulnerable Windows 7 SP0/SP1 x64 system · Non-admin session · Metasploit framework

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 45 stars

by Rootkitsmm-zz · local

https://github.com/Rootkitsmm-zz/cve-2016-0040

View Code ZIP pw:eip

The repository provides a reference to a PoC for CVE-2016-0040, which involves an uninitialized pointer vulnerability in the Windows kernel allowing arbitrary data writes to arbitrary addresses. The README directs users to a blog post for technical details but does not include actual exploit code.

Classification

Writeup 80%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Microsoft Windows Kernel

No auth needed

Prerequisites: Access to a vulnerable Windows system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 14 stars

by de7ec7ed · poc

https://github.com/de7ec7ed/CVE-2016-0040

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-0040, a Windows kernel vulnerability in the WMIDataDevice driver. The exploit leverages bitmap manipulation and memory corruption to achieve privilege escalation by targeting the pvScan0 structure in kernel memory.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows (kernel-mode driver WMIDataDevice)

No auth needed

Prerequisites: Windows system with vulnerable WMIDataDevice driver · Local access to execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

by smmrootkit, de7ec7ed, de7ec7ed · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb

View Code ZIP pw:eip

This Metasploit module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl to achieve local privilege escalation on vulnerable Windows 7 SP0/SP1 x64 systems. It reflectively injects a DLL payload to trigger the vulnerability and elevate privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 7 SP0/SP1 x64

Auth required

Prerequisites: Local access to a vulnerable Windows 7 SP0/SP1 x64 system · Meterpreter session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1034985

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44586/

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-014

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0040

Scores

CVSS v3 7.8

EPSS 0.7576

EPSS Percentile 98.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-28

VulnCheck KEV 2022-03-28

InTheWild.io 2022-03-28

ENISA EUVD EUVD-2016-0078

Status published

Products (4)

microsoft/windows_7

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_vista

Published Feb 10, 2016

KEV Added Mar 28, 2022

Tracked Since Feb 18, 2026