CVE-2021-40449

HIGH KEV RANSOMWARE

Windows 10 1507-21H1, Windows 11, Windows Server 2004-2019 - Use-After-Free in Win32k

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-40449 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 17, 2021, with confirmed use in ransomware campaigns. EIP tracks 11 public exploits from researchers including ly4k, KaLendsi, Kristal-g, including a Metasploit module exploits/windows/local/cve_2021_40449.

AI-analyzed exploit summary This is a working exploit for CVE-2021-40449, a use-after-free (UAF) vulnerability in the Windows Win32k driver. The PoC leverages a printer driver callback to trigger the UAF and then sprays palettes to reclaim freed memory, ultimately achieving privilege escalation by manipulating a forged BitMapHeader to enable all privileges.

Description

Win32k Elevation of Privilege Vulnerability

Exploits (11)

nomisec WORKING POC 480 stars
by ly4k · local
https://github.com/ly4k/CallbackHell

This is a working exploit for CVE-2021-40449, a use-after-free (UAF) vulnerability in the Windows Win32k driver. The PoC leverages a printer driver callback to trigger the UAF and then sprays palettes to reclaim freed memory, ultimately achieving privilege escalation by manipulating a forged BitMapHeader to enable all privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Win32k.sys (multiple versions)
Auth required
Prerequisites: Local access to a vulnerable Windows system · A printer driver installed on the system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 99 stars
by KaLendsi · local
https://github.com/KaLendsi/CVE-2021-40449-Exploit

This exploit targets CVE-2021-40449, a use-after-free (UAF) vulnerability in the Windows kernel printer driver. It manipulates palette objects to trigger the UAF and achieve privilege escalation by corrupting kernel memory.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (tested on Windows 10 builds 14393 and 17763)
No auth needed
Prerequisites: Access to a vulnerable Windows system · Printer driver loaded
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 54 stars
by Kristal-g · local
https://github.com/Kristal-g/CVE-2021-40449_poc

This is a proof-of-concept exploit for CVE-2021-40449, targeting a use-after-free vulnerability in the Windows graphics driver. It leverages the Microsoft XPS Document Writer driver to achieve arbitrary code execution via a crafted palette object and shellcode execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (XPS Document Writer driver)
No auth needed
Prerequisites: Windows system with vulnerable XPS Document Writer driver · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 45 stars
by hakivvi · local
https://github.com/hakivvi/CVE-2021-40449

This exploit leverages a use-after-free (UAF) vulnerability in the Windows kernel to escalate privileges by manipulating a BitMapHeader structure and abusing NtSetInformationThread. It ultimately spawns a shell with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (kernel)
No auth needed
Prerequisites: Windows environment with vulnerable kernel · Ability to execute arbitrary code at user level
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by CppXL · poc
https://github.com/CppXL/cve-2021-40449-poc

This PoC exploits CVE-2021-40449, a use-after-free vulnerability in the Windows Print Spooler service, by manipulating printer driver callbacks and heap spraying to achieve local privilege escalation (LPE). The code hooks the DrvEnablePDEV function to trigger a UAF condition via ResetDCA and leverages heap grooming techniques.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Print Spooler (affected versions include Windows 10, Windows Server 2019, etc.)
Auth required
Prerequisites: Local access to the target system · Ability to load a printer driver · Administrative privileges to install/modify printer drivers (for setup)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by toanthang1842002 · local
https://github.com/toanthang1842002/CVE-2021-40449

This is a working proof-of-concept exploit for CVE-2021-40449, targeting a use-after-free vulnerability in the Windows Print Spooler service. The exploit uses printer driver hooking and palette spraying to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Print Spooler
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to load a printer driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by IronHusky, Costin Raiu, Boris Larin, Red Raindrop Team of Qi, , # detailed analysis report in Chinese showing how to replicate the vulnerability, , # First Public POC targeting Windows 10 build 14393 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2021_40449.rb

This Metasploit module exploits a use-after-free vulnerability in the `NtGdiResetDC()` function of Win32k to achieve local privilege escalation to `NT AUTHORITY\SYSTEM`. The exploit leverages a race condition during a user mode callback to manipulate kernel memory and execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 10 (multiple builds), Windows Server 2019/2022, and others
Auth required
Prerequisites: Local access to a vulnerable Windows system · Valid user session
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by SamuelTulach · local
https://github.com/SamuelTulach/voidmap

This repository contains a functional exploit PoC for CVE-2021-40449, a Windows kernel vulnerability. The exploit disables SMEP/SMAP, manually maps a driver, and executes arbitrary code by leveraging a use-after-free (UAF) vulnerability in the Windows printer driver subsystem.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 10 Pro For Workstations 1809 17763.379 (64-bit)
No auth needed
Prerequisites: Windows system with vulnerable kernel · Printer driver subsystem accessible
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by BL0odz · local
https://github.com/BL0odz/CVE-2021-40449-NtGdiResetDC-UAF

This repository contains a functional exploit for CVE-2021-40449, a use-after-free (UAF) vulnerability in the Windows GDI component (NtGdiResetDC). The exploit leverages memory corruption to achieve local privilege escalation (LPE) by manipulating kernel objects and executing shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 10 1809 (and potentially other versions)
No auth needed
Prerequisites: Windows 10 1809 environment · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by hissec · poc
https://gitee.com/hissec/CVE-2021-40449-Exploit

This repository contains a functional exploit for CVE-2021-40449, leveraging a use-after-free (UAF) vulnerability in the Windows kernel via palette manipulation and printer driver callbacks. The exploit targets specific Windows 10 builds (14393 and 17763) and demonstrates memory corruption through crafted palette objects.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 10 (builds 14393, 17763)
No auth needed
Prerequisites: Windows 10 build 14393 or 17763 · Access to a local printer driver
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and configuration scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, and others. It includes Python scripts for generating documentation and organizing exploit metadata, but no actual exploit code for CVE-2021-40449.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel (various versions)
No auth needed
Prerequisites: Access to the target system · Appropriate exploit code for the specific CVE
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.9151
EPSS Percentile 99.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-17
VulnCheck KEV 2021-10-12
InTheWild.io 2021-10-12
ENISA EUVD EUVD-2021-27626
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (21)
microsoft/windows_10_1507 < 10.0.10240.19086
microsoft/windows_10_1607 < 10.0.14393.4704
microsoft/windows_10_1809 < 10.0.17763.2237
microsoft/windows_10_1909 < 10.0.18363.1854
microsoft/windows_10_2004 < 10.0.19041.1288
microsoft/windows_10_20h2 < 10.0.19041.1288
microsoft/windows_10_21h1 < 10.0.19041.1288
microsoft/windows_11
microsoft/windows_11_21h2 < 10.0.22000.258
microsoft/windows_7
... and 11 more
Published Oct 13, 2021
KEV Added Nov 17, 2021
Tracked Since Feb 18, 2026