CVE-2016-3219

HIGH

Windows 10 - Local Privilege Escalation via Kernel-Mode Driver

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3219. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit bypasses the ProcessFontDisablePolicy in Windows 10 by exploiting a race condition in win32k, allowing arbitrary font loading from disk. It uses object manager directory shadowing and oplocks to switch the font path after the initial check.

Description

The kernel-mode driver in Microsoft Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdoswindows_x86
https://www.exploit-db.com/exploits/39993

This exploit bypasses the ProcessFontDisablePolicy in Windows 10 by exploiting a race condition in win32k, allowing arbitrary font loading from disk. It uses object manager directory shadowing and oplocks to switch the font path after the initial check.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows 10 (win32k.sys)
No auth needed
Prerequisites: Low integrity execution context · Writable local disk location · Copy of pacifioc.ttf font file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39993/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036101

Scores

CVSS v3 7.8
EPSS 0.0613
EPSS Percentile 92.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (2)
microsoft/windows_10
microsoft/windows_10 1511
Published Jun 16, 2016
Tracked Since Feb 18, 2026