CVE-2022-21971

HIGH KEV

Windows Runtime - Remote Code Execution via Uninitialized Pointer Access

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-21971 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 18, 2022. EIP tracks 3 public exploits from researchers including 0vercl0k, Malwareman007, tufanturhan.

AI-analyzed exploit summary This repository provides a detailed analysis of CVE-2022-21971, a vulnerability in the `prauthproviders` module where an uninitialized pointer is freed, leading to a use-after-free condition. The writeup includes root cause analysis, disassembly snippets, and reproduction steps.

Description

Windows Runtime Remote Code Execution Vulnerability

Exploits (3)

nomisec WRITEUP 306 stars
by 0vercl0k · client-side
https://github.com/0vercl0k/CVE-2022-21971

This repository provides a detailed analysis of CVE-2022-21971, a vulnerability in the `prauthproviders` module where an uninitialized pointer is freed, leading to a use-after-free condition. The writeup includes root cause analysis, disassembly snippets, and reproduction steps.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office Word 2019, Wordpad on Windows 10/11
No auth needed
Prerequisites: PageHeap enabled via Gflags on `winword.exe` · Debugger attached to the process
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by Malwareman007 · poc
https://github.com/Malwareman007/CVE-2022-21971

This PoC demonstrates a use-after-free vulnerability in the `WapAuthProvider` destructor due to an uninitialized pointer at offset 0x50, leading to a crash when `LocalFree` is called. The exploit requires PageHeap to be enabled and triggers via a malformed RTF file in Microsoft Word.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Word 2019, Windows 10/11
No auth needed
Prerequisites: PageHeap enabled on winword.exe · Debugger attached · Malformed RTF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 2 stars
by tufanturhan · poc
https://github.com/tufanturhan/CVE-2022-21971-Windows-Runtime-RCE

This repository provides a detailed analysis of CVE-2022-21971, a vulnerability in Windows Runtime involving an uninitialized pointer free in prauthproviders. The writeup includes root cause analysis, reproduction steps, and a crash log demonstrating the issue.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Runtime (prauthproviders.dll)
No auth needed
Prerequisites: PageHeap enabled via Gflags on winword.exe · Debugger attached to Microsoft Word · Malicious RTF file opened in Word
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.5365
EPSS Percentile 98.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-08-18
VulnCheck KEV 2022-08-18
InTheWild.io 2022-08-18
ENISA EUVD EUVD-2022-27126
CWE
CWE-824
Status published
Products (9)
microsoft/windows_10_1809 < 10.0.17763.2565
microsoft/windows_10_1909 < 10.0.18363.2094
microsoft/windows_10_20h2 < 10.0.19042.1526
microsoft/windows_10_21h1 < 10.0.19043.1526
microsoft/windows_10_21h2 < 10.0.19044.1526
microsoft/windows_11_21h2 < 10.0.22000.493
microsoft/windows_server_2019 < 10.0.17763.2565
microsoft/windows_server_2022 < 10.0.20348.524
microsoft/windows_server_20h2 < 10.0.19042.1526
Published Feb 09, 2022
KEV Added Aug 18, 2022
Tracked Since Feb 18, 2026