Rapid7 Vulnerability & Exploit Database

Win32k NtGdiResetDC Use After Free Local Privilege Elevation

Back to Search

Win32k NtGdiResetDC Use After Free Local Privilege Elevation



A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work.


  • IronHusky
  • Costin Raiu
  • Boris Larin
  • Red Raindrop Team of Qi'anxin Threat Intelligence Center
  • KaLendsi
  • ly4k
  • Grant Willcox






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/cve_2021_40449
msf exploit(cve_2021_40449) > show targets
msf exploit(cve_2021_40449) > set TARGET < target-id >
msf exploit(cve_2021_40449) > show options
    ...show and set options...
msf exploit(cve_2021_40449) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security