CVE-2016-0095

HIGH EXPLOITED

Microsoft Windows - Local Privilege Escalation via Kernel-Mode Driver

Title source: llm

Exploitation Summary

CVE-2016-0095 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including fengjixuchui, AmazingOut, Ascotbe.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2016-0095, a Windows kernel vulnerability in the GDI component. The exploit leverages a use-after-free condition to achieve local privilege escalation (LPE) by manipulating bitmap objects and executing shellcode to elevate privileges to SYSTEM.

Description

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0093, CVE-2016-0094, and CVE-2016-0096.

Exploits (3)

nomisec WORKING POC 1 stars

by fengjixuchui · remote

https://github.com/fengjixuchui/cve-2016-0095-x64

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-0095, a Windows kernel vulnerability in the GDI component. The exploit leverages a use-after-free condition to achieve local privilege escalation (LPE) by manipulating bitmap objects and executing shellcode to elevate privileges to SYSTEM.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7 Ultimate x64 (MS16-034)

No auth needed

Prerequisites: Local access to a vulnerable Windows 7 x64 system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC

by AmazingOut · cpoc

https://github.com/AmazingOut/CVE_POC/tree/main/CVE-2016-0095

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2016-0095, a null pointer dereference vulnerability in Windows 7 SP1 x86. The exploit leverages GDI bitmap manipulation to achieve local privilege escalation (LPE) to SYSTEM by corrupting kernel memory and replacing the token of the current process.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 7 SP1 x86

No auth needed

Prerequisites: Windows 7 SP1 x86 environment · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 27, 2026 Full analysis →

patchapalooza NO CODE

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/84072

Third Party Advisory x_refsource_misc

http://www.zerodayinitiative.com/advisories/ZDI-16-196

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-034

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035212

Scores

CVSS v3 7.8

EPSS 0.1526

EPSS Percentile 94.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-11-03

CWE

CWE-264

Status published

Products (10)

microsoft/windows_10

microsoft/windows_10 1511

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

microsoft/windows_vista

Published Mar 09, 2016

Tracked Since Feb 18, 2026