CVE-2016-0079

MEDIUM

Windows 10 Gold, 1511, and 1607 - Local Privilege Escalation via Registry API Call

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-0079. PoCs published by Google Security Research.

AI-analyzed exploit summary This C# PoC exploits CVE-2016-0079, a Windows kernel vulnerability in NtLoadKeyEx where a read-only flag is incorrectly ignored upon failure, allowing arbitrary file writes and privilege escalation via symbolic link manipulation.

Description

The kernel in Microsoft Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application that makes an API call to access sensitive information in the registry, aka "Windows Kernel Local Elevation of Privilege Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · localwindows
https://www.exploit-db.com/exploits/40608

This C# PoC exploits CVE-2016-0079, a Windows kernel vulnerability in NtLoadKeyEx where a read-only flag is incorrectly ignored upon failure, allowing arbitrary file writes and privilege escalation via symbolic link manipulation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 10586 (potentially Windows 8.1 Update 2 or Windows 7)
No auth needed
Prerequisites: User-level access to the system · Ability to create symbolic links · Access to manipulate registry hive files
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93357
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40608/

Scores

CVSS v3 5.0
EPSS 0.0500
EPSS Percentile 91.1%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (3)
microsoft/windows_10
microsoft/windows_10 1511
microsoft/windows_10 1607
Published Oct 14, 2016
Tracked Since Feb 18, 2026