CVE-2021-31956

HIGH KEV

Windows NTFS - Elevation of Privilege via Integer Underflow

Title source: llm

Exploitation Summary

CVE-2021-31956 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 5 public exploits from researchers including Y3A, hoangprod, deletehead.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-31956, a Windows kernel vulnerability involving heap overflow in the Windows Notification Facility (WNF). The exploit demonstrates local privilege escalation by manipulating WNF state data to achieve arbitrary write primitives and token theft.

Description

Windows NTFS Elevation of Privilege Vulnerability

Exploits (5)

nomisec WORKING POC 5 stars

by Y3A · local

https://github.com/Y3A/CVE-2021-31956

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-31956, a Windows kernel vulnerability involving heap overflow in the Windows Notification Facility (WNF). The exploit demonstrates local privilege escalation by manipulating WNF state data to achieve arbitrary write primitives and token theft.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (kernel)

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Kernel-level heap manipulation capabilities

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 4 stars

by hoangprod · local

https://github.com/hoangprod/CVE-2021-31956-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2021-31956, leveraging a heap overflow in Windows NTFS Extended Attributes (EA) to corrupt adjacent pool objects, specifically targeting _WNF_STATE_DATA structures. The exploit demonstrates memory corruption techniques to achieve local privilege escalation (LPE) by manipulating undocumented NT API calls.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows (NTFS driver, specifically affecting Windows 10 and likely other versions)

No auth needed

Prerequisites: Local access to the target system · Ability to create and manipulate files on an NTFS volume

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by deletehead · poc

https://github.com/deletehead/Pool-Overflow-CVE-2021-31956

View Code ZIP pw:eip

The repository contains only a placeholder README and a single empty C++ file, with no functional exploit code or technical details about CVE-2021-31956.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by hzshang · poc

https://github.com/hzshang/CVE-2021-31956

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-31956, a Windows NTFS vulnerability involving out-of-bounds (OOB) write via Extended Attributes (EA) manipulation. The exploit leverages WNF (Windows Notification Facility) state data corruption to achieve arbitrary read/write primitives.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows NTFS (Windows 10, Windows Server 2019)

No auth needed

Prerequisites: Local access to the target system · Ability to create files in a writable directory

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 18, 2026 Full analysis →

patchapalooza WORKING POC

by aazhuliang · local

https://github.com/aazhuliang/CVE-2021-31956-EXP

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-31956, a Windows kernel vulnerability involving WNF (Windows Notification Facility) state name manipulation and EA (Extended Attributes) file operations. The exploit demonstrates memory corruption via heap spraying and arbitrary kernel memory read/write primitives.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (kernel)

No auth needed

Prerequisites: Windows system with vulnerable kernel · ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31956

Scores

CVSS v3 7.8

EPSS 0.9072

EPSS Percentile 99.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-14

InTheWild.io 2021-04-14

ENISA EUVD EUVD-2021-18829

CWE

CWE-191

Status published

Products (18)

microsoft/windows_10_1507 < 10.0.10240.18967

microsoft/windows_10_1607 < 10.0.14393.4467

microsoft/windows_10_1809 < 10.0.17763.1999

microsoft/windows_10_1909 < 10.0.18363.1621

microsoft/windows_10_2004 < 10.0.19041.1052

microsoft/windows_10_20h2 < 10.0.19042.1052

microsoft/windows_10_21h1 < 10.0.19043.1052

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

... and 8 more

Published Jun 08, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026