VYPR
← All advisories
High severity7.3NVD Advisory· Published Jan 13, 2016· Updated May 6, 2026

CVE-2016-0006

CVE-2016-0006

Description

Local users can gain privileges in multiple Windows versions via a crafted application that exploits improper sandbox handling of reparse points.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Local users can gain privileges in multiple Windows versions via a crafted application that exploits improper sandbox handling of reparse points.

Vulnerability

The sandbox implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandles reparse points. This flaw, known as the "Windows Mount Point Elevation of Privilege Vulnerability," is addressed in MS16-008 [1]. The vulnerability is distinct from CVE-2016-0007 and arises from incorrect handling of mount point creation within the sandbox [1]. All affected software versions are listed as Important severity [1].

Exploitation

An attacker must first log on to an affected system and then run a specially crafted application [1]. The exploit bypasses previous mitigations for CVE-2015-2553 by abusing shadow object directories to create limited mount reparse points that function within a sandboxed context [2]. The attacker can override a dos device path (e.g., C: or GLOBALROOT) by placing a dummy object directory that shadows the GLOBAL?? directory, then set a reparse point pointing to an arbitrary location (e.g., \Device\NamedPipe\). When the shadow directory is released, the real target resolves to the original intended path, but the reparse point persists as long as the attacker's process exists [2]. The exploit requires the ability to create a named object directory, which is possible from most sandboxes except highly restrictive ones like a Chrome renderer [2].

Impact

Successful exploitation allows a local attacker to elevate privileges on the system, gaining greater access or capabilities beyond those intended by the sandbox [1]. The CIA impact is primarily integrity and availability, as the attacker can compromise system processes and potentially execute arbitrary code with elevated privileges [1]. The sandbox bypass can lead to full system compromise if chained with other vulnerabilities [2].

Mitigation

Microsoft released security update MS16-008 (KB3124605) on January 12, 2016, which corrects how Windows handles certain scenarios involving mount point creation [1]. All affected versions of Windows should apply this update immediately. No workarounds are documented for versions that have not yet been patched; for unsupported or end-of-life systems, upgrading to a supported release is the only mitigation [1]. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Microsoft Security Bulletin MS16-008 - Important
  2. OffSec’s Exploit Database Archive

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • Microsoft/Windows 10 19092 versions
    cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*
  • Microsoft/Windows 7
    cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • Microsoft/Windows 8
    cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*
  • Microsoft/Windows 8.1
    cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • Microsoft/Windows Rt 8.12 versions
    cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • Microsoft/Windows Server 20083 versions
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*+ 2 more
    • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
    • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
    • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
  • Microsoft/Windows Server 20122 versions
    cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • Microsoft/Windows2 versions
    cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
    • (no CPE)range: Vista SP2, Server 2008 SP2, Server 2008 R2 SP1, 7 SP1, 8, 8.1, Server 2012 Gold, Server 2012 R2, RT Gold, RT 8.1, 10 Gold, 10 1511

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The sandbox implementation mishandles reparse points by allowing shadow object directories to bypass the ProcessDeviceMap restriction, enabling low-integrity processes to create mount points pointing to arbitrary locations."

Attack vector

A local attacker who can execute a crafted application at low integrity (e.g., via a sandbox escape or by running the binary with reduced privileges) can create a named object directory that shadows `GLOBAL??`. By constructing a dummy directory and placing a symlink or object directory inside it, the attacker can set a mount reparse point that redirects to an arbitrary location (e.g., `\Device\NamedPipe\`). Once the inner object directory is released, the shadow directory causes the higher-privileged application to resolve the name to the real target, effectively creating a mount point that should be forbidden for low-integrity users [ref_id=1].

Affected code

The sandbox implementation in Microsoft Windows (Vista SP2 through Windows 10 1511) mishandles reparse points during mount point creation. The flaw resides in the interaction between `NtCreateObjectDirectoryEx` and shadow object directories, which allows a low-integrity process to bypass the `ProcessDeviceMap` restriction that was originally put in place by the fix for CVE-2015-2553 [ref_id=1].

What the fix does

The advisory does not include a patch diff, but the vulnerability is a bypass of the CVE-2015-2553 fix. The original fix limited `ProcessDeviceMap` in a sandbox, but the researcher demonstrates that `NtCreateObjectDirectoryEx` with a shadow directory can circumvent that restriction. Microsoft's remediation (as implied by the CVE assignment) would need to prevent low-integrity callers from using shadow object directories to create mount reparse points that redirect to locations the caller cannot write to [ref_id=1].

Preconditions

  • configAttacker must be able to execute a crafted application at low integrity level (e.g., via psexec or ACL modification)
  • inputAttacker must be able to create a named object directory (possible outside Chrome renderer sandbox)
  • inputAttacker must have a writable directory on a local hard disk (e.g., AppData\Temp\Low)
  • authAttacker must be a local user with ability to run arbitrary binaries

Reproduction

1. Extract the PoC archive (password 'password') to a location writable by a normal user on a local hard disk. 2. Execute the PoC binary at low integrity, passing two arguments: a path to a writable directory (e.g., `c:\users\user\appdata\local\low\abc`) and an arbitrary file path to set the mount point to (e.g., `c:\notreal`). 3. While the PoC runs, list the target directory to observe that the mount point was created successfully, which should not be possible for a low-integrity user [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.