CVE-2016-0100

HIGH

Windows Vista SP2 and Server 2008 SP2 - Local Privilege Escalation via Library Loading

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-0100. Includes Metasploit module exploits/windows/fileformat/office_ole_multiple_dll_hijack.

AI-analyzed exploit summary This Metasploit module exploits multiple DLL side-loading vulnerabilities in various COM components by embedding a malicious OLE object in a crafted PPSX file. When opened, the file triggers the loading of a malicious DLL from the current directory, leading to arbitrary code execution.

Description

Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Library Loading Input Validation Remote Code Execution Vulnerability."

Exploits (2)

exploitdb WORKING POC
rubylocalwindows
https://www.exploit-db.com/exploits/41706

This Metasploit module exploits multiple DLL side-loading vulnerabilities in various COM components by embedding a malicious OLE object in a crafted PPSX file. When opened, the file triggers the loading of a malicious DLL from the current directory, leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office (2007-2016) and various Windows components (Vista-10)
No auth needed
Prerequisites: Victim must open the malicious PPSX file from a directory containing the attacker's DLL
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/office_ole_multiple_dll_hijack.rb

This Metasploit module exploits multiple DLL side-loading vulnerabilities in various COM components by embedding a malicious OLE object in an Office document. It generates a payload DLL and crafts a PPSX file to trigger arbitrary code execution when opened from a directory containing the attacker's DLL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office (2007-2016) and various Windows components (Vista-10)
No auth needed
Prerequisites: Victim must open the crafted document from a directory containing the attacker's DLL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035205
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/83930

Scores

CVSS v3 8.4
EPSS 0.6875
EPSS Percentile 98.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20 CWE-264
Status published
Products (2)
microsoft/windows_server_2008
microsoft/windows_vista
Published Mar 09, 2016
Tracked Since Feb 18, 2026