Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Win32k EPATHOBJ::pprFlattenRec local privilege escalation

IdentifiersCVE-2013-3660CWE-824

CVE-2013-3660 is a local elevation-of-privilege vulnerability in the Win32k subsystem of Microsoft Windows, specifically in the kernel-mode driver win32k.sys. The flaw is in EPATHOBJ::pprFlattenRec, which does not properly initialize a pointer to the next object in a list. Under memory-pressure conditions, a local attacker can trigger excessive paged-memory consumption and then invoke FlattenPath repeatedly to obtain write access to the PATHRECORD chain. This corruption of kernel-managed path structures can be leveraged to alter kernel memory state and elevate privileges. Affected platforms listed in the provided content are Windows XP SP2/SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012. The issue is also referred to as the "Win32k Read AV Vulnerability."

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local user to escalate privileges by gaining kernel-level write capability over the PATHRECORD chain in win32k.sys. In practical terms, this can permit execution with elevated or SYSTEM privileges and potentially full compromise of the affected host. Because the flaw is in a kernel-mode component, impact can extend to arbitrary modification of security-relevant kernel data, disabling protections, installing persistent malware, or loading additional payloads with high integrity.

Mitigation

If you can’t patch tonight, do this now.

Because this is a local privilege-escalation vulnerability, mitigation focuses on reducing opportunities for local code execution before patching. Limit interactive logon and code execution on affected hosts, enforce application allowlisting, restrict untrusted users from obtaining local execution, and reduce exposure to initial-compromise vectors that could deliver a local exploit. Use least-privilege configurations, monitor for abnormal win32k-related exploit behavior and repeated FlattenPath-style activity where telemetry exists, and isolate or retire unsupported Windows versions that cannot receive fixes.

Remediation

Patch, then assume compromise.

Apply the Microsoft security update that addresses CVE-2013-3660 on all affected Windows systems. Prioritize legacy and unsupported systems identified in the content, including Windows XP, Server 2003, Vista, Server 2008, Windows 7, Windows 8, and Server 2012, where applicable support and patches exist. If systems are end-of-life and cannot be patched, migrate them to supported versions of Windows. Standard remediation should include verifying patch deployment across all affected builds and removing local administrator access where not required, since this is a local privilege-escalation issue.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 7operating_system
Microsoft CorporationWindows 8operating_system
Microsoft CorporationWindows Rtoperating_system
Microsoft CorporationWindows Server 2003operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Vistaoperating_system
Microsoft CorporationWindows Xpoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
mitre attackNews
Jan 24, 2026
Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows local privilege escalation vulnerability targeted by FIN6 tooling to obtain kernel-level privileges.

Read more
mitre attackNews
Mar 18, 2026
Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows local privilege escalation vulnerability targeted by FIN6.

Read more
mitre attackNews
Mar 18, 2026
Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows local privilege escalation vulnerability targeted by FIN6 tooling to obtain kernel-level privileges.

Read more
blackhatNews
May 31, 2026

A vulnerability explicitly mentioned as being exploited by a Dyre Banking Trojan variant to obtain system privileges, but not otherwise described in this content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2013-3660
NVD
nvd.nist.gov/vuln/detail/CVE-2013-3660
MITRE CWE · CWE-824
cwe.mitre.org
Patch
docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053
Third Party Advisory
exploit-db.com/exploits/25611
Third Party Advisory
us-cert.gov/ncas/alerts/TA13-190A
Exploit
twitter.com/taviso/statuses/309157606247768064
Exploit
reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability
Press/Media Coverage
theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3660