Login Sign Up

CVE-2021-31188

7.8 HIGH

📋 TL;DR

This vulnerability in the Windows Graphics Component allows an attacker to execute arbitrary code with elevated privileges by exploiting a use-after-free bug. It affects Windows systems where an authenticated user could run a specially crafted application. Successful exploitation enables privilege escalation from a standard user to SYSTEM level.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10 versions 1809, 1909, 2004, 20H2, 21H1; Windows Server 2019, 2022
Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with the vulnerable graphics component enabled (default configuration).

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains SYSTEM privileges on the target system, enabling complete control, data theft, installation of persistent malware, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access sensitive system resources.

🟢

If Mitigated

With proper patching and least privilege principles, impact is limited to isolated systems with no administrative access.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access or user interaction.
🏢 Internal Only: HIGH - Internal attackers or malware with user-level access can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and user interaction. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2021 security updates (KB5003173 for Windows 10 2004/20H2/21H1, KB5003169 for 1909, KB5003197 for 1809)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31188

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Check for updates. 3. Install May 2021 security updates. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Apply least privilege principles to limit potential impact of exploitation.

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of untrusted applications
  • Use endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates via 'winver' or 'systeminfo' command. If May 2021 security updates are not installed, system is vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5003173, KB5003169, or KB5003197 is installed in Windows Update history or via 'wmic qfe list' command.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 (process creation) showing unexpected privilege escalation
  • Security log entries showing SYSTEM account activity from user sessions

Network Indicators:

  • Unusual outbound connections from systems after local exploitation

SIEM Query:

EventID=4688 AND NewProcessName="*" AND TokenElevationType="%%1936" (for privilege escalation detection)

📊 Metadata

CVE ID: CVE-2021-31188
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31188, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)