CVE-2016-0165
published 2016-04-12CVE-2016-0165: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
14.36%
96.2th percentile
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0167.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2016-0165 was observed chained with a browser/Flash exploit (APSB16-10) for sandbox escape — look for Flash exploitation followed immediately by a local privilege escalation attempt in the same process tree. ↗
- →The exploit uses EnumDeviceDrivers to leak the kernel base address (KASLR bypass) — monitor for unprivileged user-mode processes calling EnumDeviceDrivers. ↗
- ·The Kaspersky detection signatures (HEUR:Exploit.Win32.Generic / PDM:Exploit.Win32.Generic) are generic and will match a broad class of exploits, not exclusively CVE-2016-0165. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows Vista SP2 up to Server 2012 R2 Kernel-Mode Driver win32k.sys access control (MS16-039 / EDB-44480)
vuldb·2026-04-23·CVSS 7.8
CVE-2016-0165 [HIGH] Microsoft Windows Vista SP2 up to Server 2012 R2 Kernel-Mode Driver win32k.sys access control (MS16-039 / EDB-44480)
A vulnerability labeled as problematic has been found in Microsoft Windows Vista SP2 up to Server 2012 R2. Affected is an unknown function in the library win32k.sys of the component Kernel-Mode Driver. Executing a manipulation can lead to improper access controls.
This vulnerability is handled as CVE-2016-0165. It is possible to launch the attack on the local host. Additionally, an exploit exists.
It is best practice to apply a patch to resolve this issue.
GHSA
GHSA-3936-9446-hfx7: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-0165 [HIGH] GHSA-3936-9446-hfx7: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0167.
GHSA
GHSA-62mp-wgh2-4h5x: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-0143 [HIGH] GHSA-62mp-wgh2-4h5x: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0165 and CVE-2016-0167.
GHSA
GHSA-3xwc-546j-255h: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-0167 [HIGH] GHSA-3xwc-546j-255h: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0165.
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-0165 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2023-07-13
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2023-06-22·CVSS 7.8
CVE-2016-0165 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-039; https://nvd.nist.gov/vuln/detail/CVE-2016-0165
Remediation Due Date: 2023-07-13
Microsoft
Windows Graphics Component Elevation of Privilege Vulnerability
vendor_msrc·2016-04-12·CVSS 7.8
CVE-2016-0165 [HIGH] Windows Graphics Component Elevation of Privilege Vulnerability
Windows Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system.
The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode.
Microsoft Graphics Component: Microsoft Graphics Component
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software
No detection rules found.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Securelist
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
blogs_securelist·2016-12-14
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
Table of Contents
- Introduction
- Six things we learned this year that we didn’t know before
- Other top threats
- The impact on business
Authors
- Kaspersky
## Executive Summary
Download Review of the year
Download Overall statistics
Download the consolidated Kaspersky Security Bulletin 2016
1. Kaspersky Security Bulletin. Predictions for 2017
2. Kaspersky Security Bulletin 2016. The ransomware revolution
## Introduction
If they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe and the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in 2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless hacking of high profile websit
Securelist
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
blogs_securelist·2016-12-14
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
Table of Contents
Introduction
Six things we learned this year that we didn’t know before
1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady marketplace
2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers
3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks
4. That a targeted attack can have no pattern: the ProjectSauron APT
5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and other data dumps
6. That a camera could be part of a global cyber-army: the insecure Internet of Things
Other top threats
Inventive APTs
New zero-days
The hunt for financial gain
The ultimate vulnerability: people
Mobile advertising
The imp
Securelist
Windows zero-day exploit used in targeted attacks by FruityArmor APT
blogs_securelist·2016-10-20·CVSS 7.8
CVE-2016-3393 [HIGH] Windows zero-day exploit used in targeted attacks by FruityArmor APT
Table of Contents
Attack chain description
EOP zero-day details
Authors
Anton Ivanov
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.
Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this
Securelist
Windows zero-day exploit used in targeted attacks by FruityArmor APT
blogs_securelist·2016-10-20·CVSS 7.8
CVE-2016-3393 [HIGH] Windows zero-day exploit used in targeted attacks by FruityArmor APT
Table of Contents
- Attack chain description
- EOP zero-day details
Authors
- Anton Ivanov
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.
Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of
Qualys
Patch Tuesday April 2016 | Qualys
blogs_qualys·2016-04-12·CVSS 7.8
[HIGH] Patch Tuesday April 2016 | Qualys
It is time for Patch Tuesday April 2016, and we have some insight into what is coming at us already. Last week Adobe had to anticipate their monthly Adobe Flash Player ( APSB16-10 ) patch to help their users defend against a 0-day that was being exploited in the wild and a couple of weeks ago we heard of the “Badlock” vulnerability from the Samba development team – both Windows and Samba on Linux/Unix are affected.
But Badlock seems to be tamer than expected – it is addressed by Microsoft in MS16-047 , a bulletin categorized as “important”. It is a Man-in-the-Middle type vulnerability and can be used to login as another user for applications that use the SAMR or LSAD protocol – the SMB protocol is not affected. All versions of Windows are affected – Vista to Server 2012R2. We are not sure
Qualys
Patch Tuesday April 2016 | Qualys
blogs_qualys·2016-04-12·CVSS 7.8
[HIGH] Patch Tuesday April 2016 | Qualys
It is time for Patch Tuesday April 2016, and we have some insight into what is coming at us already. Last week Adobe had to anticipate their monthly Adobe Flash Player (APSB16-10) patch to help their users defend against a 0-day that was being exploited in the wild and a couple of weeks ago we heard of the “Badlock” vulnerability from the Samba development team – both Windows and Samba on Linux/Unix are affected.
But Badlock seems to be tamer than expected – it is addressed by Microsoft in MS16-047, a bulletin categorized as “important”. It is a Man-in-the-Middle type vulnerability and can be used to login as another user for applications that use the SAMR or LSAD protocol – the SMB protocol is not affected. All versions of Windows are affected – Vista to Server 2012R2. We are not sure wh
Zscaler
Zscaler found Multiple Security Vulnerabilities | 04-12-2016
blogs_zscaler·CVSS 7.5
[HIGH] Zscaler found Multiple Security Vulnerabilities | 04-12-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securitytracker.com/id/1035529http://www.securitytracker.com/id/1035532https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-039https://www.exploit-db.com/exploits/44480/http://www.securitytracker.com/id/1035529http://www.securitytracker.com/id/1035532https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-039https://www.exploit-db.com/exploits/44480/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0165
2016-04-12
Published
2023-06-22
Added to CISA KEV
Exploited in the wild