CVE-2021-38085
Description
The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Canon/TR150 print driverdescription
- Range: <=3.71.2.10
Patches
Vulnerability mechanics
Root cause
"The Canon TR150 print driver drops a world-writable DLL into %PROGRAMDATA% that is later loaded by a SYSTEM process (printisolationhost), enabling a local privilege escalation via DLL overwrite."
Attack vector
A local attacker with low privileges can exploit the add-printer process of the Canon TR150 driver. The driver places a world-writable DLL (CNMurGE.dll) in a CanonBJ folder under %PROGRAMDATA%. By overwriting this DLL with a malicious payload and timing the overwrite correctly, the attacker can cause printisolationhost (a SYSTEM process) to load the tampered DLL, resulting in privilege escalation to SYSTEM. [ref_id=1]
Affected code
The Canon TR150 print driver (through version 3.71.2.10) drops a world-writable DLL (CNMurGE.dll) into a CanonBJ %PROGRAMDATA% location during the add-printer process. This DLL is subsequently loaded by printisolationhost, a SYSTEM process.
What the fix does
The advisory does not include a published patch. The recommended remediation is for the vendor to stop placing world-writable DLLs in locations accessible to unprivileged users, or to ensure that any dropped DLL is not loaded by a higher-privileged process such as printisolationhost. Without a fix, the vulnerability remains exploitable on affected driver versions.
Preconditions
- configThe Canon TR150 print driver (version 3.71.2.10 or earlier) must be installed.
- authThe attacker must have local low-privileged access to the Windows system.
- inputThe attacker must be able to write to the world-writable CanonBJ %PROGRAMDATA% directory.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/163795/Canon-TR150-Driver-3.71.2.10-Privilege-Escalation.htmlmitrex_refsource_MISC
- defcon.org/html/defcon-29/dc-29-speakers.htmlmitrex_refsource_MISC
- raw.githubusercontent.com/jacob-baines/vuln_disclosure/main/vuln_2021_03.txtmitrex_refsource_MISC
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.