CVE-2016-3309

HIGH KEV RANSOMWARE

Microsoft Windows - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-3309 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including siberas.

AI-analyzed exploit summary This exploit targets a pool-based overflow vulnerability in win32kfull!bFill (CVE-2016-3309) to achieve local privilege escalation (LPE) to SYSTEM on Windows 10 x64 (Creators Update, build 15063.540). It includes three techniques: Bitmaps, Palettes, and a deadlock PoC.

Description

The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.

Exploits (2)

exploitdb WORKING POC
by siberas · textlocalwindows_x86-64
https://www.exploit-db.com/exploits/42960

This exploit targets a pool-based overflow vulnerability in win32kfull!bFill (CVE-2016-3309) to achieve local privilege escalation (LPE) to SYSTEM on Windows 10 x64 (Creators Update, build 15063.540). It includes three techniques: Bitmaps, Palettes, and a deadlock PoC.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 10 x64 (Creators Update, build 15063.540)
Auth required
Prerequisites: Local access to the target system · Vulnerable Windows 10 build (15063.540)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 54 stars
by siberas · local
https://github.com/siberas/CVE-2016-3309_Reloaded

This repository contains functional exploit code for CVE-2016-3309, a Windows kernel vulnerability involving bitmap object manipulation to achieve arbitrary read/write capabilities. The code demonstrates techniques to overwrite kernel structures and escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (x64, build 15063.540)
No auth needed
Prerequisites: Windows 10 x64 (build 15063.540) · Local access to the system
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42960/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036572
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92297
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-098

Scores

CVSS v3 7.8
EPSS 0.2062
EPSS Percentile 97.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-15
VulnCheck KEV 2022-03-15
InTheWild.io 2022-03-15
ENISA EUVD EUVD-2016-4341
Ransomware Use Confirmed
Status published
Products (11)
microsoft/windows_10_1507
microsoft/windows_10_1511
microsoft/windows_10_1607
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 1 more
Published Aug 09, 2016
KEV Added Mar 15, 2022
Tracked Since Feb 18, 2026