CVE-2017-0263

HIGH KEV

Microsoft Windows - Use-After-Free in Kernel-Mode Drivers

Title source: llm

Exploitation Summary

CVE-2017-0263 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2022. EIP tracks 2 public exploits from researchers including xiaodaozhi, R06otMD5.

AI-analyzed exploit summary This exploit targets CVE-2017-0263, a Windows kernel vulnerability in win32k.sys, to achieve local privilege escalation (LPE) by manipulating window objects and executing shellcode in kernel mode. The PoC includes shellcode to replace the token of a target process with that of the system process.

Description

The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Exploits (2)

exploitdb WORKING POC

by xiaodaozhi · c++localwindows_x86

https://www.exploit-db.com/exploits/44478

View Code ZIP pw:eip

This exploit targets CVE-2017-0263, a Windows kernel vulnerability in win32k.sys, to achieve local privilege escalation (LPE) by manipulating window objects and executing shellcode in kernel mode. The PoC includes shellcode to replace the token of a target process with that of the system process.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (win32k.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to compile and execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by R06otMD5 · poc

https://github.com/R06otMD5/cve-2017-0263-poc

View Code ZIP pw:eip

The repository contains only a minimal README with no technical details or exploit code. It is a placeholder with no functional PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Core References

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038449

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/98258

Exploit, Third Party Advisory x_refsource_misc

https://xiaodaozhi.com/exploit/117.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44478/

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0263

Scores

CVSS v3 7.8

EPSS 0.2077

EPSS Percentile 95.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-02-10

VulnCheck KEV 2017-05-09

InTheWild.io 2017-05-09

ENISA EUVD EUVD-2017-0619

CWE

CWE-416

Status published

Products (13)

microsoft/windows_10_1507

microsoft/windows_10_1511

microsoft/windows_10_1607

microsoft/windows_10_1703

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_server_2012

... and 3 more

Published May 12, 2017

KEV Added Feb 10, 2022

Tracked Since Feb 18, 2026