CVE-2019-0803

HIGH KEV RANSOMWARE

Windows - Privilege Escalation in Win32k Component

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0803 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Arch-Vile, ExpLife0011, Iamgublin.

AI-analyzed exploit summary The provided content lacks actual exploit code and instead references an external download link, which is a common tactic for suspicious repositories. It mentions a related GitHub repository but does not include functional PoC code for CVE-2019-0803.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859.

Exploits (4)

exploitdb SUSPICIOUS
by Arch-Vile · textlocalwindows
https://www.exploit-db.com/exploits/46920

The provided content lacks actual exploit code and instead references an external download link, which is a common tactic for suspicious repositories. It mentions a related GitHub repository but does not include functional PoC code for CVE-2019-0803.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Theoretical
Reliability
Theoretical
Target: Windows Win32k component
No auth needed
Prerequisites: Access to a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 83 stars
by ExpLife0011 · local
https://github.com/ExpLife0011/CVE-2019-0803

This repository contains a proof-of-concept exploit for CVE-2019-0803, a Win32k elevation of privilege vulnerability. The exploit leverages DDE (Dynamic Data Exchange) and hijacks the ClientCopyDDEIn1 function to achieve privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 7 SP1 (Win32k)
No auth needed
Prerequisites: Local access to a vulnerable Windows 7 SP1 system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Iamgublin · poc
https://github.com/Iamgublin/CVE-2019-0803

This repository contains a proof-of-concept exploit for CVE-2019-0803, a Win32k elevation of privilege vulnerability. The exploit leverages DDE (Dynamic Data Exchange) and hijacks the ClientCopyDDEIn1 function to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 7 SP1 (Win32k)
No auth needed
Prerequisites: Local access to a vulnerable Windows 7 SP1 system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza NO CODE
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.8884
EPSS Percentile 99.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-04-09
InTheWild.io 2019-04-09
ENISA EUVD EUVD-2019-1559
Ransomware Use Confirmed
Status published
Products (17)
microsoft/windows_10_1507 (2 CPE variants)
microsoft/windows_10_1607 (2 CPE variants)
microsoft/windows_10_1703 (2 CPE variants)
microsoft/windows_10_1709 (3 CPE variants)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
microsoft/windows_server_1709
... and 7 more
Published Apr 09, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026