CVE-2016-3309
published 2016-08-09CVE-2016-3309: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2…
PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
20.63%
97.2th percentile
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The CVE-2016-3309 exploit debug strings were reused in the CVE-2021-40449 (MysterySnail) exploit; presence of these strings in a Win32k exploit binary is a strong indicator of IronHusky/MysterySnail tooling. ↗
- →MysterySnail RAT copies cmd.exe to the temp folder under a different name before launching an interactive shell (command ID 0x1F4); monitor for cmd.exe spawned from %TEMP% with a renamed binary. ↗
- →Exploit targets the win32kfull!bFill pool overflow; monitor for pool corruption events or unexpected kernel pool allocations originating from win32kfull.sys on Windows 10 x64 build 15063. ↗
- →Kaspersky detection verdicts for the exploit and payload are PDM:Exploit.Win32.Generic, PDM:Trojan.Win32.Generic, and Trojan.Win64.Agent*; use these as hunt strings in AV telemetry. ↗
- →MysterySnail RAT communicates using a binary protocol over SSL; all C2 traffic is SSL-encrypted with a fixed header layout (offset 0: data size, offset 4: session ID, offset 8: command ID, offset 0xC: additional data). ↗
- ·The public PoC exploit (EDB-42960) targets specifically Windows 10 x64 Creators Update build 15063.540; it may not function on other builds without modification. ↗
- ·The information disclosure portion of the CVE-2021-40449 exploit chain (kernel module base address leakage via NtQuerySystemInformation/EnumDeviceDrivers from Medium IL) was assessed by Microsoft as not bypassing a security boundary and was NOT patched. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Kernel Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2016-3309 [HIGH] CWE-264 Microsoft Windows Kernel Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Kernel Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-3309
Remediation Due Date: 2022-04-05
Microsoft
Windows Kernel Elevation of Privilege Vulnerability
vendor_msrc·2016-08-09·CVSS 7.8
CVE-2016-3309 [HIGH] Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
Windows Kernel-Mode Drivers: Windows Kernel-Mode Drivers
Impact: Elevation of Privilege
Exploit Status: Publicly D
GHSA
GHSA-vw6r-qqvc-7vxx: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-3310 [HIGH] GHSA-vw6r-qqvc-7vxx: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3309, and CVE-2016-3311.
GHSA
GHSA-26jv-vj2h-8566: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-3308 [HIGH] GHSA-26jv-vj2h-8566: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3309, CVE-2016-3310, and CVE-2016-3311.
GHSA
GHSA-fgfw-9qp4-g6xg: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-3311 [HIGH] GHSA-fgfw-9qp4-g6xg: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3309, and CVE-2016-3310.
GHSA
GHSA-7cmx-3w9q-4v5g: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2016-3309 [HIGH] GHSA-7cmx-3w9q-4v5g: The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
VulnCheck
Microsoft Windows Kernel Privilege Escalation Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-3309 [HIGH] CWE-264 Microsoft Windows Kernel Privilege Escalation Vulnerability
Microsoft Windows Kernel Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Report%202022%20Q1.pdf; https://www.securin.io/articles/all-about-conti-ransomware/
Exploit PoC: https:
No detection rules found.
Tenable
Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs
blogs_tenable·2024-06-11
Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Privilege elevation exploits used in over 50% of insider attacks
blogs_bleepingcomputer·2023-12-08
Privilege elevation exploits used in over 50% of insider attacks
## Privilege elevation exploits used in over 50% of insider attacks
## Bill Toulas
Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner.
A report by Crowdstrike based on data gathered between January 2021 and April 2023 shows that insider threats are on the rise and that using privilege escalation flaws is a significant component of unauthorized activity.
According to the report, 55% of insider threats logged by the company rely on privilege escalation exploits, while the remaining 45% unwittingly introduce risks by downloading or misusing offensive tools.
Rogue insiders typically turn against their employer b
Tenable
Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
blogs_tenable·2023-05-09·CVSS 7.8
[HIGH] Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Microsoft’s October 2021 Patch Tuesday Addresses 74 CVEs (CVE-2021-40449)
blogs_tenable·2021-10-12·CVSS 7.8
[HIGH] Microsoft’s October 2021 Patch Tuesday Addresses 74 CVEs (CVE-2021-40449)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
MysterySnail attacks with Windows zero-day
blogs_securelist·2021-10-12·CVSS 7.8
CVE-2016-3309 [HIGH] MysterySnail attacks with Windows zero-day
Table of Contents
- Executive Summary
- Elevation of privilege exploit
- MysterySnail RAT
- IoCs
Authors
- Boris Larin
- Costin Raiu
## Executive Summary
In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as no
Securelist
MysterySnail attacks with Windows zero-day
blogs_securelist·2021-10-12·CVSS 7.8
CVE-2016-3309 [HIGH] MysterySnail attacks with Windows zero-day
Table of Contents
Executive Summary
Elevation of privilege exploit
MysterySnail RAT
IoCs
Authors
Boris Larin
Costin Raiu
## Executive Summary
In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309 , but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not bypass
Zscaler
Zscaler found Multiple Security Vulnerabilities | 08-09-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 08-09-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
How Insiders Use Vulnerabilities Against Organizations
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How Insiders Use Vulnerabilities Against Organizations
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://www.securityfocus.com/bid/92297http://www.securitytracker.com/id/1036572https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-098https://www.exploit-db.com/exploits/42960/http://www.securityfocus.com/bid/92297http://www.securitytracker.com/id/1036572https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-098https://www.exploit-db.com/exploits/42960/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3309
2016-08-09
Published
2022-03-15
Added to CISA KEV
Exploited in the wild