CVE-2019-0808

HIGH KEV

Windows 7 and Windows Server 2008 - Local Privilege Escalation in Win32k Component

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0808 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 7 public exploits from researchers including ze0r, exodusintel, rakesh143, including a Metasploit module exploits/windows/local/ntusermndragover.

AI-analyzed exploit summary This exploit targets a local privilege escalation vulnerability in Microsoft Windows Win32k (CVE-2019-0808). It is designed to elevate privileges on Windows 7 and Server 2008 systems by exploiting a flaw in the Win32k subsystem.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.

Exploits (7)

exploitdb WORKING POC
by ze0r · textdoswindows
https://www.exploit-db.com/exploits/46604

This exploit targets a local privilege escalation vulnerability in Microsoft Windows Win32k (CVE-2019-0808). It is designed to elevate privileges on Windows 7 and Server 2008 systems by exploiting a flaw in the Win32k subsystem.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 7, Windows Server 2008
Auth required
Prerequisites: Local access to the target system · Low-privileged user account
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 91 stars
by exodusintel · local
https://github.com/exodusintel/CVE-2019-0808

This repository contains a functional exploit for CVE-2019-0808, a Windows win32k elevation of privilege vulnerability. The exploit leverages a race condition in the win32k!xxxMNDragOver function to achieve arbitrary kernel write primitives, ultimately leading to token stealing for privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 7/Windows 10 (win32k.sys)
No auth needed
Prerequisites: Windows 7/10 x86 system · Local access to the target machine
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 48 stars
by ze0r · dos
https://github.com/ze0r/cve-2019-0808-poc

This repository contains a functional proof-of-concept exploit for CVE-2019-0808, a Windows win32k elevation of privilege vulnerability. The exploit manipulates menu window messages and hooks to trigger a BSOD, demonstrating the vulnerability's impact.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 7 (win32k.sys)
No auth needed
Prerequisites: Windows 7 environment · User-level access to execute the binary
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by rakesh143 · poc
https://github.com/rakesh143/CVE-2019-0808

The repository contains no actual exploit code or technical details, only a link to an external download (PacketStorm). This is a common social engineering tactic to lure researchers into downloading potentially malicious content.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by bb33bb · local
https://github.com/bb33bb/CVE-2019-0808-32-64-exp

This repository contains a functional exploit for CVE-2019-0808, a Windows local privilege escalation vulnerability in the win32k component. The exploit leverages menu window manipulation and NULL page allocation to achieve arbitrary code execution in kernel mode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (win32k.sys)
No auth needed
Prerequisites: Windows system with vulnerable win32k.sys · Local access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Clément Lecigne, Grant Willcox, timwr · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ntusermndragover.rb

This Metasploit module exploits a NULL pointer dereference vulnerability in the Windows kernel (win32k.sys) via the NtUserMNDragOver system call, leading to local privilege escalation on Windows 7 x86 systems. The exploit reflectively injects a DLL payload to trigger the vulnerability and elevate privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 7 x86 (SP0 and SP1)
No auth needed
Prerequisites: Meterpreter session on target · Windows 7 x86 system with vulnerable win32k.sys (revision < 24387)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and configuration scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, CVE-2008-1084, and others. It includes README files with technical details and a Python script for generating documentation.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel
No auth needed
Prerequisites: access to the target system · specific Windows versions affected by the listed CVEs
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.7395
EPSS Percentile 98.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-03-12
InTheWild.io 2019-03-12
ENISA EUVD EUVD-2019-1563
Status published
Products (3)
microsoft/windows_7
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
Published Apr 09, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026