CVE-2021-31955

MEDIUM KEV

Windows 10 1809-21H1 and Windows Server 2019-20H2 - Kernel Information Disclosure

Title source: llm

Exploitation Summary

CVE-2021-31955 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including freeide, ApexPredator-InfoSec.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-31955, a Windows kernel information disclosure vulnerability. The exploit leverages the `NtQuerySystemInformation` API with `SystemSuperfetchInformation` to retrieve `EPROCESS` addresses, demonstrating the vulnerability by querying process information.

Description

Windows Kernel Information Disclosure Vulnerability

Exploits (2)

nomisec WORKING POC 13 stars

by freeide · local

https://github.com/freeide/CVE-2021-31955-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2021-31955, a Windows kernel information disclosure vulnerability. The exploit leverages the `NtQuerySystemInformation` API with `SystemSuperfetchInformation` to retrieve `EPROCESS` addresses, demonstrating the vulnerability by querying process information.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Windows Kernel (64-bit, various versions including Windows 10)

No auth needed

Prerequisites: Access to a vulnerable Windows system with unpatched kernel

MITRE ATT&CK

T1082 - System Information Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by ApexPredator-InfoSec · local

https://github.com/ApexPredator-InfoSec/forti_shield

View Code ZIP pw:eip

This repository contains a combined proof-of-concept exploit for CVE-2021-31955, CVE-2015-4077, and CVE-2015-5736, targeting Windows 10 20H2. It leverages memory corruption and privilege escalation techniques to achieve local privilege escalation (LPE).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 20H2

No auth needed

Prerequisites: Windows 10 20H2 environment · Vulnerable driver or kernel component

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31955

Scores

CVSS v3 5.5

EPSS 0.0361

EPSS Percentile 88.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-14

InTheWild.io 2021-04-14

ENISA EUVD EUVD-2021-18828

CWE

CWE-497

Status published

Products (8)

microsoft/windows_10_1809 < 10.0.17763.1999

microsoft/windows_10_1909 < 10.0.18363.1621

microsoft/windows_10_2004 < 10.0.19041.1052

microsoft/windows_10_20h2 < 10.0.19042.1052

microsoft/windows_10_21h1 < 10.0.19043.1052

microsoft/windows_server_2004 < 10.0.19041.1052

microsoft/windows_server_2019 < 10.0.17763.1999

microsoft/windows_server_20h2 < 10.0.19042.1052

Published Jun 08, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026