The 2021 Pwnie Nominee For Best Server-Side Bug

UAF in HTTP.sys (CVE-2021-31166)

Researcher Names: mxms

Link: https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166

Remote use-after-free in windows kernel HTTP server. Yes, Microsoft is still running an HTTP server in the kernel, and it is 2021. This exploit proves that the driver has vulnerabilities that are triggerable in a 1-line PoC (https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py). Did we mention that HTTP.sys is listening by default on many Windows services, even on client machines?