The US Cybersecurity and Infrastructure Security Agency (CISA) has put federal agencies on a tight deadline by requiring them to fix a critical vulnerability in Windows 10 by February 18th.
This is the vulnerability CVE-2022-21882 (7.0 points on the CVSS vulnerability rating scale), which CISA was added to its Catalog of Known Exploited Vulnerabilities.CVE-2022-21882 is a vulnerability in Windows 10 and does not require high privileges to exploit. In the worst case, no user action is required for successful operation.
Microsoft fixed the vulnerability as part of Patch Tuesday in January 2022.
A PoC exploit for the vulnerability has been available for several weeks now. Its author is the head of Privacy Piiano Gil Dabah, who discovered the problem two years ago. Having identified the problem, the researcher decided not to report it to Microsoft because he was angry at the company for the late and insufficient payment of bug bounty rewards.
Microsoft listed RyeLv as the researcher who discovered the vulnerability. The researcher submitted his description of the type mismatch vulnerability in Win32k.sys on January 13, 2022.
The CISA added the vulnerability to the database of known exploited vulnerabilities because it has already been used in attacks. Although the deadline for fixing the vulnerability was set only for federal agencies, CISA hopes that private companies will also install patches.
Let me remind you that we also said that 0-day vulnerabilities in atmfd.dll endanger all versions of Windows and also that Google experts publish exploit for critical bug in Windows 10.