CVE-2021-42280: Windows Feedback Hub Elevation of Privilege Vulnerability

Overview

Severity: Medium (CVSS 5.5)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Category: Elevation of Privilege
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2021-Nov
Released: 2021-11-09
EPSS Score: 0.16% (percentile: 36.5%)

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents.

Affected Products (26)

Windows

Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 11 version 21H2 for x64-based Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)

Security Updates (6)

Acknowledgments

Abdelhamid Naceri working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>

Revision History

2021-11-09: Information published.