CVE-2022-21882

HIGH KEV

Win32k ConsoleControl Offset Confusion

Title source: metasploit

Exploitation Summary

CVE-2022-21882 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 4, 2022. EIP tracks 7 public exploits from researchers including KaLendsi, L4ys, sailay1996, including a Metasploit module exploits/windows/local/cve_2022_21882_win32k.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2022-21882, targeting a Windows kernel vulnerability. The code demonstrates a local privilege escalation (LPE) by manipulating window class extra bytes and leveraging kernel callbacks to achieve arbitrary memory read/write.

Description

Win32k Elevation of Privilege Vulnerability

Exploits (7)

nomisec WORKING POC 465 stars

by KaLendsi · local

https://github.com/KaLendsi/CVE-2022-21882

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2022-21882, targeting a Windows kernel vulnerability. The code demonstrates a local privilege escalation (LPE) by manipulating window class extra bytes and leveraging kernel callbacks to achieve arbitrary memory read/write.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10/11 (kernel)

Auth required

Prerequisites: Local access to the target system · Ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 200 stars

by L4ys · local

https://github.com/L4ys/CVE-2022-21882

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2022-21882, a Windows kernel vulnerability. It leverages user-mode callbacks and heap manipulation to achieve local privilege escalation (LPE) by exploiting a flaw in the win32k driver.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows 10 21H2 (win32k.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code in user mode

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 49 stars

by sailay1996 · local

https://github.com/sailay1996/cve-2022-21882-poc

View Code ZIP pw:eip

This is a local privilege escalation (LPE) proof-of-concept for CVE-2022-21882, exploiting a vulnerability in Windows win32k. The PoC manipulates window class extra bytes and kernel callbacks to achieve arbitrary read/write in kernel memory, leading to privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (win32k.sys)

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Compilation as a Windows executable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by David-Honisch · local

https://github.com/David-Honisch/CVE-2022-21882

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2022-21882, a Windows kernel privilege escalation vulnerability. It leverages a use-after-free in the win32k driver to achieve arbitrary kernel memory read/write and ultimately escalate privileges.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (win32k.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by r1l4-i3pur1l4 · local

https://github.com/r1l4-i3pur1l4/CVE-2022-21882

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2022-21882, a Win32k elevation of privilege vulnerability. It leverages callback table manipulation and window object manipulation to achieve local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (Win32k component)

Auth required

Prerequisites: Local access to a vulnerable Windows system · User-level authentication

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by BITTER APT, JinQuan, MaDongZe, TuXiaoYi, LiHao, L4ys, KaLendsi, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2022_21882_win32k.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-21882, a Win32k privilege escalation vulnerability affecting Windows 10 (1803-21H2) and Windows 11 (21H2). It leverages a bypass for CVE-2021-1732's patch to achieve an out-of-bounds write via WndExtra field manipulation, leading to SYSTEM privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 (1803-21H2), Windows 11 (21H2), Windows Server 2019/2022

Auth required

Prerequisites: Local access to a vulnerable Windows system · Meterpreter session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WORKING POC

by gdabah · local

https://github.com/gdabah/win32k-bugs

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2022-21882, demonstrating a Use-After-Free (UAF) vulnerability in the Windows win32k driver, specifically in the `xxxMnOpenHierarchy` function. The exploit manipulates window and menu objects to achieve arbitrary code execution in kernel mode.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows 10 x64 (win32k.sys)

No auth needed

Prerequisites: Windows 10 x64 environment · Ability to execute user-mode code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/166169/Win32k-ConsoleControl-Offset-Confusion-Privilege-Escalation.html

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21882

Scores

CVSS v3 7.0

EPSS 0.8914

EPSS Percentile 99.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-02-04

VulnCheck KEV 2022-01-11

InTheWild.io 2022-01-11

ENISA EUVD EUVD-2022-27038

CWE

CWE-787

Status published

Products (9)

microsoft/windows_10_1809 < 10.0.17763.2452 (2 CPE variants)

microsoft/windows_10_1909 < 10.0.18363.2037

microsoft/windows_10_20h2 < 10.0.19042.1466

microsoft/windows_10_21h1 < 10.0.19043.1466

microsoft/windows_10_21h2 < 10.0.19044.1466

microsoft/windows_11_21h2 < 10.0.22000.434

microsoft/windows_server_2019 < 10.0.17763.2452

microsoft/windows_server_2022 < 10.0.20348.469

microsoft/windows_server_20h2 < 10.0.19042.1466

Published Jan 11, 2022

KEV Added Feb 04, 2022

Tracked Since Feb 18, 2026