CVE-2021-33739

HIGH KEV

Microsoft DWM Core Library - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-33739 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 4 public exploits from researchers including freeide2017, giwon9977, Ascotbe.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-33739, targeting a Windows kernel vulnerability in the DirectComposition API. The exploit leverages memory corruption to achieve local privilege escalation (LPE) by manipulating kernel objects and executing shellcode.

Description

Microsoft DWM Core Library Elevation of Privilege Vulnerability

Exploits (4)

nomisec WORKING POC 10 stars
by freeide2017 · local
https://github.com/freeide2017/CVE-2021-33739-POC

This repository contains a functional exploit for CVE-2021-33739, targeting a Windows kernel vulnerability in the DirectComposition API. The exploit leverages memory corruption to achieve local privilege escalation (LPE) by manipulating kernel objects and executing shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (builds 17763-19042)
No auth needed
Prerequisites: Windows 10/11 with vulnerable kernel builds · Local access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by giwon9977 · local
https://github.com/giwon9977/CVE-2021-33739_PoC_Analysis

This repository contains a functional exploit PoC for CVE-2021-33739, targeting a Windows kernel vulnerability in the DirectComposition API. The exploit leverages heap manipulation and kernel object address leakage to achieve local privilege escalation (LPE).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 10 (builds 17763-19042)
No auth needed
Prerequisites: Windows 10 (specific builds) · DirectComposition API access
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/giwon9977/cve-2021-33739_poc

This repository contains a functional exploit PoC for CVE-2021-33739, targeting a Windows kernel vulnerability in the DirectComposition API. The exploit leverages heap manipulation and kernel object address leakage to achieve local privilege escalation (LPE).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (builds 18362, 18363, 19041, 19042)
No auth needed
Prerequisites: Windows OS with vulnerable build · DirectComposition API access
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository is a collection of documentation and metadata for various Windows CVEs, including CVE-2021-33739. It contains README files, issue templates, and a Python script for generating documentation but no functional exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows (various versions)
No auth needed
Prerequisites: access to the repository
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.4
EPSS 0.1692
EPSS Percentile 95.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-06-08
InTheWild.io 2021-06-14
ENISA EUVD EUVD-2021-20416
Status published
Products (6)
microsoft/windows_10_1909 < 10.0.18363.1621
microsoft/windows_10_2004 < 10.0.19041.1052
microsoft/windows_10_20h2 < 10.0.19042.1052
microsoft/windows_10_21h1 < 10.0.19043.1052
microsoft/windows_server_2004 < 10.0.19041.1052
microsoft/windows_server_20h2 < 10.0.19042.1052
Published Jun 08, 2021
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026