CVE-2016-3251
published 2016-07-13CVE-2016-3251: The GDI component in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server…
PriorityP425low2.8CVSS 3.0
AVLACLPRLUIRSUCLINAN
EPSS
58.07%
99.0th percentile
The GDI component in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to obtain sensitive kernel-address information via a crafted application, aka "Win32k Information Disclosure Vulnerability."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered by a local user running a specially crafted application that causes the Windows GDI component to improperly disclose kernel memory addresses; monitor for unusual local processes invoking Win32k/GDI kernel-mode driver calls. ↗
- →The vulnerability resides in the GDI component of kernel-mode drivers (Win32k); focus endpoint detection on Win32k information disclosure patterns (e.g., unexpected kernel address leaks from GDI object handling). ↗
- ·This is an information disclosure only — it does not allow direct code execution or privilege escalation, but leaked kernel addresses could be chained with other exploits to further compromise the system. ↗
- ·Exploit status is assessed as 'Exploitation Less Likely' for both latest and older software releases, and there is no public exploit or known in-the-wild exploitation as of the advisory. ↗
CVSS provenance
nvdv3.02.8LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vendor_msrc3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows GDI Information Disclosure Vulnerability
vendor_msrc·2016-07-12·CVSS 3.3
CVE-2016-3251 [LOW] Windows GDI Information Disclosure Vulnerability
Windows GDI Information Disclosure Vulnerability
Description: A Win32k information disclosure vulnerability exists when the Windows GDI component improperly discloses kernel memory addresses. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.
The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
Windows Kernel-Mode Drivers
GHSA
GHSA-r2hq-g2r6-hj3c: The GDI component in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3251 [LOW] CWE-200 GHSA-r2hq-g2r6-hj3c: The GDI component in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The GDI component in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to obtain sensitive kernel-address information via a crafted application, aka "Win32k Information Disclosure Vulnerability."
No detection rules found.
No public exploits indexed.
2016-07-13
Published