CVE-2016-3373

MEDIUM

Microsoft Windows 10 - Access Control

Title source: rule

Description

The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 does not properly implement registry access control, which allows local users to obtain sensitive account information via a crafted application, aka "Windows Kernel Elevation of Privilege Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · localwindows

https://www.exploit-db.com/exploits/40430

View Code ZIP pw:eip

References (4)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036802

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/92845

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/40430/

[Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-111

Scores

CVSS v3 5.5

EPSS 0.0947

EPSS Percentile 92.7%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-264

Status published

Affected Products (12)

n/a/n/a

microsoft/windows_10

microsoft/windows_10

microsoft/windows_10

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

microsoft/windows_server_2008

microsoft/windows_server_2012

microsoft/windows_server_2012

microsoft/windows_vista

Timeline

Published Sep 14, 2016

Tracked Since Feb 18, 2026