CVE-2016-3302

MEDIUM

Microsoft Windows 10 - Access Control

Title source: rule

Description

Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607, when the lock screen is enabled, do not properly restrict the loading of web content, which allows physically proximate attackers to execute arbitrary code via a (1) crafted Wi-Fi access point or (2) crafted mobile-broadband device, aka "Windows Lock Screen Elevation of Privilege Vulnerability."

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/92853

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036799

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-112

Scores

CVSS v3 6.3

EPSS 0.0110

EPSS Percentile 77.8%

Attack Vector PHYSICAL

CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-264

Status published

Affected Products (7)

n/a/n/a

microsoft/windows_10

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2012

Timeline

Published Sep 14, 2016

Tracked Since Feb 18, 2026