CVE-2021-28310

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 4 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

53.95%

probability

This CVE has a 53.95% probability of being exploited in the next 30 days.

0% Top 98.0th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

Out-of-bounds write vulnerability in dwmcore.dll

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Patched

April 13, 2021

Reported by

Boris Larin (Oct0xor) of Kaspersky Lab

Root Cause Analysis

???

Microsoft April 2021 Patch Tuesday fixes 108 flaws, 5 zero-days

BleepingComputer Apr 13, 2021

NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers

TheHackerNews

Qualys Response to CISA Alert: Binding Operational Directive 22-01

Qualys Nov 09, 2021

April 2021 Patch Tuesday – 108 Vulnerabilities, 19 Critical, Adobe

Qualys Apr 14, 2021

Signal Intelligence

Confidenceⓘ

95%

EPSS 53.95%

Mentions 4

Last Seen Nov 09, 2021

CNA Information

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Threat Actors 6

Turla Group

apt_group Information theft and espionage Russian Federation

APT 29

apt_group Information theft and espionage 🇷🇺 RU

HAZY TIGER

apt_group Information theft and espionage 🇮🇳 IN

Roaming Mantis

apt_group 🇯🇵 JP

IronHusky

apt_group Information theft and espionage 🇨🇳 CN

WildPressure

apt_group Information theft and espionage UNKNOWN

Triage Info

Decided atMar 05, 2026