Erik Egsgard

BlackSwan - Exploiting a Gaggle of Windows Privilege Escalation Bugs


During research this past spring multiple privilege elevation vulnerabilities were discovered that affect all versions of Windows since Vista. Most of the vulnerabilities are memory corruption bugs and, despite modern mitigations, were easy to exploit. This talk will cover the discovery of the bugs and the techniques used to create reliable exploits.

The following vulnerabilities will be covered in this talk:

  • CVE-2021-34514 – privilege escalation bug in ntoskrnl.exe
  • CVE-2021-38629 – info leak in pacer.sys
  • CVE-2021-38628 – privilege escalation bug in tcpip.sys
  • CVE-2021-38638 – 3 privilege escalation bugs in afd.sys
  • CVE-2021-26442 – privilege escalation bug in https.sys

A common thread with these vulnerabilities is that they have been present in the Windows kernel since Windows Vista – almost 15 years. They were all found in just over a week-long time period while researching a side project. The talk will explore some of the areas of the Windows kernel that were investigated during the research and describe the details of the discovered vulnerabilities and how they can be exploited.


Erik Egsgard is a Principal Security Developer with Field Effect Software. With over 15 years experience in the computer security field he has found vulnerabilities across a wide range of software and operating systems including Windows, MacOS, iOS and Android.